Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1532899
MD5:	6f9619fa7cf95762cc014f84b308c135
SHA1:	d892a42085bdf61e59b949e401dc62f12c190a5e
SHA256:	b9d2c9598fb357f3e9009a5bd5ecddeb592c50486d2993141ffbfc3431ae03c8
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4028 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6F9619FA7CF95762CC014F84B308C135)

taskkill.exe (PID: 6436 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1892 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1412 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 612 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3292 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7104 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1248 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 1352 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4712 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2168 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efb8e24-567d-4fe6-86ee-59a725f1c88d} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc7146e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7064 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -parentBuildID 20230927232528 -prefsHandle 2972 -prefMapHandle 1404 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d7b3dce-133c-439f-9923-f863713a0353} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc82924e10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7472 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5064 -prefsLen 31270 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c982563-852c-4314-abb2-ed591bccd091} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc71473110 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4028	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_00CCEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00CCEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CCED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00CCED6A

Source: C:\Users\user\Desktop\file.exe

0_2_00CCEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00CBAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CE9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CE9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000000.2100137381.0000000000D12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1db42803-e
Source: file.exe, 00000000.00000000.2100137381.0000000000D12000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fa2d9d49-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a596d758-7
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_d8bedc4e-3

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002214D3D65F7 NtQuerySystemInformation,		17_2_000002214D3D65F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002214D3F69F2 NtQuerySystemInformation,		17_2_000002214D3F69F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00CBD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00CB1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00CBE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC2046	0_2_00CC2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C58060	0_2_00C58060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB8298	0_2_00CB8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8E4FF	0_2_00C8E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8676B	0_2_00C8676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE4873	0_2_00CE4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C5CAF0	0_2_00C5CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7CAA0	0_2_00C7CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6CC39	0_2_00C6CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C86DD9	0_2_00C86DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C591C0	0_2_00C591C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6B119	0_2_00C6B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C71394	0_2_00C71394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C71706	0_2_00C71706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7781B	0_2_00C7781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C719B0	0_2_00C719B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6997D	0_2_00C6997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C57920	0_2_00C57920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C77A4A	0_2_00C77A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C77CA7	0_2_00C77CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C71C77	0_2_00C71C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C89EEE	0_2_00C89EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CDBE44	0_2_00CDBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C71F32	0_2_00C71F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 14_3_000001A98E1F66F9	14_3_000001A98E1F66F9
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002214D3D65F7	17_2_000002214D3D65F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002214D3F69F2	17_2_000002214D3F69F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002214D3F711C	17_2_000002214D3F711C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 17_2_000002214D3F6A32	17_2_000002214D3F6A32

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C70A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C59CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00C6F9F2 appears 40 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC37B5 GetLastError,FormatMessageW,

0_2_00CC37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB10BF AdjustTokenPrivileges,CloseHandle,		0_2_00CB10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CB16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00CB16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00CC51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00CBD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00CC648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C542A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2273874441.000002BC8B9AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.2274880026.000002BC8B3AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317175242.000002BC8B3B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307218115.000002BC8B3AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.2385953326.000002BC8B152000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2168 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efb8e24-567d-4fe6-86ee-59a725f1c88d} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc7146e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -parentBuildID 20230927232528 -prefsHandle 2972 -prefMapHandle 1404 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d7b3dce-133c-439f-9923-f863713a0353} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc82924e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5064 -prefsLen 31270 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c982563-852c-4314-abb2-ed591bccd091} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc71473110 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2168 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efb8e24-567d-4fe6-86ee-59a725f1c88d} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc7146e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -parentBuildID 20230927232528 -prefsHandle 2972 -prefMapHandle 1404 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d7b3dce-133c-439f-9923-f863713a0353} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc82924e10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5064 -prefsLen 31270 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c982563-852c-4314-abb2-ed591bccd091} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc71473110 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: kbdus.pdb source: firefox.exe, 0000000E.00000003.2284683746.000002BC7FF64000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284982874.000002BC7FF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.2290894564.000002BC7FF98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290477478.000002BC7FF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdb source: firefox.exe, 0000000E.00000003.2283709402.000002BC7FF64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: npmproxy.pdbUGP source: firefox.exe, 0000000E.00000003.2290894564.000002BC7FF98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.2290894564.000002BC7FF98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290477478.000002BC7FF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.2288590127.000002BC7FF98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: npmproxy.pdb source: firefox.exe, 0000000E.00000003.2290894564.000002BC7FF98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ktmw32.pdbGCTL source: firefox.exe, 0000000E.00000003.2283709402.000002BC7FF64000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.2288590127.000002BC7FF98000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kbdus.pdbGCTL source: firefox.exe, 0000000E.00000003.2284683746.000002BC7FF64000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2284982874.000002BC7FF85000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C542DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C70A76 push ecx; ret

0_2_00C70A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C6F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C6F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CE1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CE1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96627

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002214D3D65F7 rdtsc

17_2_000002214D3D65F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00CBDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C8C2A2 FindFirstFileExW,	0_2_00C8C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC68EE FindFirstFileW,FindClose,	0_2_00CC68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00CC698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CBD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CBD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00CBD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CC9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00CC979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00CC9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CC5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00CC5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C542DE

Source: firefox.exe, 00000010.00000002.3355778211.0000015C6DE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: firefox.exe, 00000010.00000002.3348093863.0000015C6D80A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000012.00000002.3348371633.00000193742EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 00000010.00000002.3355778211.0000015C6DE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt
Source: firefox.exe, 00000010.00000002.3355778211.0000015C6DE00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3355371990.000002214D450000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3347360750.000002214CB7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000012.00000002.3353651098.0000019374600000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: firefox.exe, 00000010.00000002.3354693911.0000015C6DD13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.3355371990.000002214D450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: firefox.exe, 00000010.00000002.3355778211.0000015C6DE00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3355371990.000002214D450000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 17_2_000002214D3D65F7 rdtsc

17_2_000002214D3D65F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CCEAA2 BlockInput,

0_2_00CCEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C82622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C82622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C542DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C74CE8 mov eax, dword ptr fs:[00000030h]

0_2_00C74CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00CB0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C82622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C82622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C7083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C7083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C709D5 SetUnhandledExceptionFilter,	0_2_00C709D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00C70C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C70C21

Source: C:\Users\user\Desktop\file.exe

0_2_00CB1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C92BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C92BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CBB226 SendInput,keybd_event,

0_2_00CBB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CD22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00CD22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00CB0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CB1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00CB1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C70698 cpuid

0_2_00C70698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CC8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00CC8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00CAD27A GetUserNameW,

0_2_00CAD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C8B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00C8B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00C542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C542DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4028, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4028, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00CD1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00CD1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00CD1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse
twitter.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.detectportal.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
services.addons.mozilla.org	0%	Virustotal	Browse
dyna.wikimedia.org	0%	Virustotal	Browse
prod.remote-settings.prod.webservices.mozgcp.net	0%	Virustotal	Browse
reddit.map.fastly.net	0%	Virustotal	Browse
youtube.com	0%	Virustotal	Browse
youtube-ui.l.google.com	0%	Virustotal	Browse
prod.ads.prod.webservices.mozgcp.net	0%	Virustotal	Browse
contile.services.mozilla.com	0%	Virustotal	Browse
us-west1.prod.sumo.prod.webservices.mozgcp.net	0%	Virustotal	Browse
normandy-cdn.services.mozilla.com	0%	Virustotal	Browse
prod.content-signature-chains.prod.webservices.mozgcp.net	0%	Virustotal	Browse
spocs.getpocket.com	0%	Virustotal	Browse
www.reddit.com	0%	Virustotal	Browse
push.services.mozilla.com	0%	Virustotal	Browse
ipv4only.arpa	0%	Virustotal	Browse
content-signature-2.cdn.mozilla.net	0%	Virustotal	Browse
www.youtube.com	0%	Virustotal	Browse
telemetry-incoming.r53-2.services.mozilla.com	0%	Virustotal	Browse
support.mozilla.org	0%	Virustotal	Browse
www.wikipedia.org	0%	Virustotal	Browse
normandy.cdn.mozilla.net	0%	Virustotal	Browse
shavar.services.mozilla.com	0%	Virustotal	Browse
firefox.settings.services.mozilla.com	0%	Virustotal	Browse
detectportal.firefox.com	0%	Virustotal	Browse
www.facebook.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
https://datastudio.google.com/embed/reporting/	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://www.leboncoin.fr/	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	0%	Virustotal		Browse
https://json-schema.org/draft/2019-09/schema.	0%	Virustotal		Browse
https://github.com/w3c/csswg-drafts/issues/4650	0%	Virustotal		Browse
https://www.msn.com	0%	Virustotal		Browse
https://youtube.com/	0%	Virustotal		Browse
https://github.com/mozilla-services/screenshots	0%	Virustotal		Browse
https://www.amazon.com/exec/obidos/external-search/	0%	Virustotal		Browse
https://www.instagram.com/	0%	Virustotal		Browse
https://content-signature-2.cdn.mozilla.net/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.253.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.1	true	false	0%, Virustotal, Browse	unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	0%, Virustotal, Browse	unknown
services.addons.mozilla.org	52.222.236.80	true	false	0%, Virustotal, Browse	unknown
dyna.wikimedia.org	185.15.59.224	true	false	0%, Virustotal, Browse	unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	0%, Virustotal, Browse	unknown
contile.services.mozilla.com	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
youtube.com	142.250.186.142	true	false	0%, Virustotal, Browse	unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	0%, Virustotal, Browse	unknown
youtube-ui.l.google.com	142.250.181.238	true	false	0%, Virustotal, Browse	unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	0%, Virustotal, Browse	unknown
reddit.map.fastly.net	151.101.129.140	true	false	0%, Virustotal, Browse	unknown
ipv4only.arpa	192.0.0.170	true	false	0%, Virustotal, Browse	unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	0%, Virustotal, Browse	unknown
push.services.mozilla.com	34.107.243.93	true	false	0%, Virustotal, Browse	unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	0%, Virustotal, Browse	unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	0%, Virustotal, Browse	unknown
www.reddit.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
spocs.getpocket.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
support.mozilla.org	unknown	unknown	false	0%, Virustotal, Browse	unknown
firefox.settings.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.youtube.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.facebook.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
detectportal.firefox.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
normandy.cdn.mozilla.net	unknown	unknown	false	0%, Virustotal, Browse	unknown
shavar.services.mozilla.com	unknown	unknown	false	0%, Virustotal, Browse	unknown
www.wikipedia.org	unknown	unknown	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000012.00000002.3349785789.00000193745C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.2221204760.000002BC8B799000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.2365033333.000002BC80B6F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.2194802639.000002BC88331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296464567.000002BC8831C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	firefox.exe, 00000010.00000002.3350288134.0000015C6DBC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3348978354.000002214CEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.00000193745EF000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3349785789.0000019374587000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.2383043000.000002BC8B761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221204760.000002BC8B756000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316214576.000002BC8B758000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.2320908437.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352377143.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222265186.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.2316637804.000002BC8B5DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274756929.000002BC8B5ED000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.2318233195.000002BC8B1DE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.2319953153.000002BC882DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2388008995.000002BC89867000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.2319570660.000002BC88747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175808127.000002BC80638000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.2391384487.000002BC83921000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.2367024855.000002BC89DE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334630621.000002BC89DE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2386382464.000002BC89DE8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.2320116251.000002BC88263000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.2174226834.000002BC8061D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274207160.000002BC8B775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2317175242.000002BC8B3FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2346648613.000002BC8B3FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176476091.000002BC80653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177165398.000002BC8066F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314234177.000002BC8027E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353951561.000002BC8B790000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2307218115.000002BC8B3FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177454754.000002BC8068A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274880026.000002BC8B3FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382761322.000002BC8B790000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385262013.000002BC8B3FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2332918765.000002BC8B3FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173826469.000002BC80400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175808127.000002BC80638000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.2358715714.000002BC8394C000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.2174226834.000002BC8061D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2176476091.000002BC80653000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2177165398.000002BC8066F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2173826469.000002BC80400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2175808127.000002BC80638000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.2320908437.000002BC881E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352339862.000002BC881E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222265186.000002BC881E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2357860429.000002BC87E6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390974800.000002BC87E82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2390364288.000002BC881ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2362826026.000002BC82B88000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.2274880026.000002BC8B3C3000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.2383043000.000002BC8B761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221204760.000002BC8B756000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316214576.000002BC8B758000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.2387204617.000002BC89D55000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.instagram.com/	firefox.exe, 0000000E.00000003.2252787838.000002BC8B8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2260696344.000002BC8B8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229151442.000002BC8B8DF000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.2319408307.000002BC887AB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.2223629817.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303277888.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227027466.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183016492.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.microso%#	firefox.exe, 0000000E.00000003.2288865294.000002BC7FF6E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2286559472.000002BC7FF64000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2290932437.000002BC7FF6E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.youtube.com/	firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.2224061778.000002BC802A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.2307878971.000002BC89CEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2335282171.000002BC89CF0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.2320908437.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352377143.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222265186.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.2355538536.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334630621.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000012.00000002.3349785789.00000193745C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.2388008995.000002BC89860000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389324088.000002BC8871D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.2224061778.000002BC802A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2220610669.000002BC8B8F5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.2309402428.000002BC8B8B5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.2316214576.000002BC8B758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2315968628.000002BC8B967000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.2391384487.000002BC83921000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.2319953153.000002BC882DB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	firefox.exe, 00000010.00000002.3350288134.0000015C6DBC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3348978354.000002214CEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.00000193745EF000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	firefox.exe, 00000010.00000002.3350288134.0000015C6DBC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3348978354.000002214CEEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.00000193745EF000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.2316637804.000002BC8B5DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.3348978354.000002214CE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.0000019374513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.2320908437.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2352377143.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2222265186.000002BC8817D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000012.00000002.3349101953.00000193743B0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggestabout	firefox.exe, 00000010.00000002.3350288134.0000015C6DB72000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.2320116251.000002BC88263000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.2388008995.000002BC8982B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	prefs-1.js.14.dr	false		unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.2224061778.000002BC802A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.2256499432.000002BC8B4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2342534213.000002BC837A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309402428.000002BC8B8B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2301837195.000002BC87FC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309402428.000002BC8B8D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2357503626.000002BC882C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2314167191.000002BC80291000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2213262659.000002BC8B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302636416.000002BC8B4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2229151442.000002BC8B8A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2255886512.000002BC8B4C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2259663385.000002BC8B4D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2302636416.000002BC8B4C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296464567.000002BC88371000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293365656.000002BC7EAFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2341876510.000002BC837B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2299555698.000002BC8B8D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252787838.000002BC8B8D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2252787838.000002BC8B8A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2309402428.000002BC8B8B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2231398614.000002BC8B8EF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.2358715714.000002BC8394C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.2358715714.000002BC8394C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.2320116251.000002BC88289000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.2320734112.000002BC8824B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.2320734112.000002BC8824B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.2388008995.000002BC8982B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.2194802639.000002BC88331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2296464567.000002BC8831C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.2362826026.000002BC82B7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.2335690896.000002BC898AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2200080307.000002BC80E67000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.2316214576.000002BC8B718000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.2293365656.000002BC7EA73000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.2224061778.000002BC802A5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.2354544358.000002BC8B1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2385635409.000002BC8B1DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2347156274.000002BC8B1DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2318233195.000002BC8B1DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.2357087523.000002BC88747000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2389196981.000002BC88759000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2319570660.000002BC88747000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.2224061778.000002BC802A5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.2223629817.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2293365656.000002BC7EA73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2303277888.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2227027466.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2183016492.000002BC802DE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.2355538536.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334630621.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.2341567945.000002BC8878B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3349321035.0000015C6D960000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.3353392948.000002214D370000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3348887279.0000019374340000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
52.222.236.80	services.addons.mozilla.org	United States	16509	AMAZON-02US	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.186.142	youtube.com	United States	15169	GOOGLEUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532899
Start date and time:	2024-10-14 06:01:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 94% Number of executed functions: 42 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.26.161.5, 52.25.49.43, 35.83.8.120, 2.22.61.56, 2.22.61.59, 172.217.16.206, 142.250.184.202, 142.250.186.170, 142.250.185.238, 142.250.185.74
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Execution Graph export aborted for target firefox.exe, PID 1352 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:02:17	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
52.222.236.80	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	http://painel.simpatiafm.com.br/	Get hash	malicious	Unknown	Browse	157.240.0.35
	https://shawri.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	157.240.0.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
	SecuriteInfo.com.Win32.Trojan.Agent.1MWNV4.31044.30727.exe	Get hash	malicious	Unknown	Browse	34.117.223.223
AMAZON-02US	https://totalcanterbury0.sharefile.com/public/share/web-034ada86e7d04d74	Get hash	malicious	Unknown	Browse	76.223.1.166
	arm.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	3.64.174.92
	arm7.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	34.242.128.2
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.23
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.80
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
	file.exe	Get hash	malicious	Credential Flusher	Browse	52.222.236.120
ATGS-MMD-ASUS	arm.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	34.159.179.219
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	51.17.46.145
	arm7.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	57.175.58.206
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	arm.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	34.159.179.219
	arm5.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	51.17.46.145
	arm7.nn-20241014-0317.elf	Get hash	malicious	Mirai, Okiru	Browse	57.175.58.206
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 52.222.236.80 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse
	c5yDnHUmFv.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_99aa29f8-13ee-4408-b8f2-a1297ea5467a.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.173039659641597
Encrypted:	false
SSDEEP:	192:uKMXoqlcbhbVbTbfbRbObtbyEl7n0r/JA6wnSrDtTkd/Sr:uP1cNhnzFSJUrmjnSrDhkd/G
MD5:	9C6259D15F9CC7D79E136000018B37BD
SHA1:	C1877F1D4675D4F482E2AEA4063050CBAA4781EF
SHA-256:	E62F32B8AB198D25AB0E58097A4B2E6ABB58127EA694EF4E2F986864B36F40F2
SHA-512:	B36D4493466AB183C7048B222A7EFA6BD00BD1A6149733FF8C416C6EFB545F7AC9551685FD3DBF7454E2A9043FC0DC78A4050ACEF8F2640C93C51AF5C67C3DF7
Malicious:	false
Preview:	{"type":"uninstall","id":"99aa29f8-13ee-4408-b8f2-a1297ea5467a","creationDate":"2024-10-14T05:44:26.242Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_99aa29f8-13ee-4408-b8f2-a1297ea5467a.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7813
Entropy (8bit):	5.173039659641597
Encrypted:	false
SSDEEP:	192:uKMXoqlcbhbVbTbfbRbObtbyEl7n0r/JA6wnSrDtTkd/Sr:uP1cNhnzFSJUrmjnSrDhkd/G
MD5:	9C6259D15F9CC7D79E136000018B37BD
SHA1:	C1877F1D4675D4F482E2AEA4063050CBAA4781EF
SHA-256:	E62F32B8AB198D25AB0E58097A4B2E6ABB58127EA694EF4E2F986864B36F40F2
SHA-512:	B36D4493466AB183C7048B222A7EFA6BD00BD1A6149733FF8C416C6EFB545F7AC9551685FD3DBF7454E2A9043FC0DC78A4050ACEF8F2640C93C51AF5C67C3DF7
Malicious:	false
Preview:	{"type":"uninstall","id":"99aa29f8-13ee-4408-b8f2-a1297ea5467a","creationDate":"2024-10-14T05:44:26.242Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"1fca7bd2-7b44-4c45-b0ea-e0486850ce95","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926083883305888
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNSmP9oxE:8S+OVPUFRbOdwNIOdYpjvY1Q6L5mPe8P
MD5:	35FC3A35EE6C1DCA5CCB507A74C7E4C7
SHA1:	7B27CF40E46F92AD4BBCF390994A139C3B1594EB
SHA-256:	68F9B71ECC18BC7508FF24871B34A1B07D47017A9F62AAFFA2F2FD3F3490C78F
SHA-512:	3FF2B945CA981E2B3DD3172334748D31B1DAAE92D67399840DFA3EB14FFC83369AA2DCDA6168DC0F5C9E052E2CA292CCA1888018B7A95991D56AC1059553B1E6
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	4.926083883305888
Encrypted:	false
SSDEEP:	48:YnSwkmrOVPUFRbOdwNIOdoWLEWLtkDZuwpx5FBvipA6kb92the6LuhakNSmP9oxE:8S+OVPUFRbOdwNIOdYpjvY1Q6L5mPe8P
MD5:	35FC3A35EE6C1DCA5CCB507A74C7E4C7
SHA1:	7B27CF40E46F92AD4BBCF390994A139C3B1594EB
SHA-256:	68F9B71ECC18BC7508FF24871B34A1B07D47017A9F62AAFFA2F2FD3F3490C78F
SHA-512:	3FF2B945CA981E2B3DD3172334748D31B1DAAE92D67399840DFA3EB14FFC83369AA2DCDA6168DC0F5C9E052E2CA292CCA1888018B7A95991D56AC1059553B1E6
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"3ba649bc-be47-4b92-8762-21cab57bda3b","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-04T13:40:33.697Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"serp-ad-telemetry-rollout":{"slug":"serp-ad-telemetry-rollout","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pr

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5308
Entropy (8bit):	6.599374203470186
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6Uhm:zTx2x2t0FDJ4NpkuvjdeplTMohm
MD5:	EB56C2F4DA9435F3D5574161F414CD17
SHA1:	74A8FC3EC0559740FD9D835B638354985E2DEAB6
SHA-256:	394E803D5FF8E156DFA7D15E96B51A683F4624A1BCF88EAA532399AC2C9B0966
SHA-512:	DF90568D191C757392FB85BDDA5333C7FE7E3BB370C5DE8C50DD810B938D732E39B5608FB4494CAADAE99E1601989FDFC0FEBDCF70F27FFE581F904170A81E0F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1867463390487
Encrypted:	false
SSDEEP:	768:JI4avfWX94O6L4x4ME454N4ohvM4T4Pia4T4I4t54U:JI4KvG
MD5:	98875950B62B398FFE70C0A8D0998017
SHA1:	CFCFFF938402E53D341FE392E25D2E6C557E548F
SHA-256:	1B445C7E12712026D4E663426527CE58FD221D2E26545AEA699E67D60F16E7F0
SHA-512:	728FF6FF915A45B44D720F41F9545F41F1BF5FB218D58073BD27DB19145D2225488988BE80FB0F712922D7B661E1A64448E3F71F09A1480B6F20BD2480888ABF
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{7a5650ac-9a89-4807-a040-9f0832bf39a9}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse Filename: c5yDnHUmFv.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07321064104694838
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkihxb:DLhesh7Owd4+jibb
MD5:	54EF1F8D622CCDCAC1954DC0D1F57D73
SHA1:	82F4DBAC435FA2636CE279696C2417EE59538E0D
SHA-256:	6755AF9C10CFB103DA49C8919F9CAB72D94E410C2F69C9BB73C80FC1E6FBD031
SHA-512:	2C4291A63BA24E92E657E7CE459E404AF099703074EB13487661038BAB97EC4025D6E2D0E3A28ED505D4CE20F7B65F8CA8C3794AF1407443B5E7E1338B943D2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03515751410436221
Encrypted:	false
SSDEEP:	3:GtlstFAZ6d6guy2SClstFAZ6d6guy2S/T89//alEl:GtWtCZi5gWtCZi5589XuM
MD5:	FE34C012CD180C2EFF4DF1DE2FE62C2D
SHA1:	B158C3F18F58B2BD421BF4F72FBCD2476E998AC6
SHA-256:	110F89E7A9B632E38FB5D20B8C015A3C1AD47AD659337384786751B0BEF81F55
SHA-512:	0A5BC64C31770C52C92F0AB332007FFACAC1DB26CB48A096E5A53DFA3D099579390A60DED43279CB2EC742BBA709E0450C1CFCF44A09E03AC6BE695EC15611A9
Malicious:	false
Preview:	..-......................<.W......=.D.\|..E.......-......................<.W......=.D.\|..E.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03951298828664526
Encrypted:	false
SSDEEP:	3:Ol17gJg/fm2YgCyiliwl8rEXsxdwhml8XW3R2:KFk5yGiwl8dMhm93w
MD5:	CA17D197FD1A69E8E7458C9CD8BB5E13
SHA1:	AC74E6049052C3E3D548CC763A634E450CB21D5E
SHA-256:	DE79053BBE304777C732790B2ED9EF10AF48FB0A98E1D40900BA3853831D7F45
SHA-512:	AA04E43F1CAAE3B7B35049805FED3F937DF8D3869DED23F77CA0B1BC2C440F5697DE906441482295D36F963DC6E8AD9131484799CDE77D648CB294A47156F204
Malicious:	false
Preview:	7....-............=.D.\|.....]............=.D.\|W.<...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	modified
Size (bytes):	13187
Entropy (8bit):	5.477917448917752
Encrypted:	false
SSDEEP:	192:AnPOeRnLYbBp6qJ0aX+i6SEXKKqCNsx5RHWNBw8dXdSl:6DeTJUZ3nQHEwG0
MD5:	DF188DAD246163DBA6355D5D4E4D0C1F
SHA1:	3450F52434265FC4F5452AF4157D339E3FD70D2A
SHA-256:	92E1CDF1341CB079E685B52FE00191B2324080F1E509F211B5AAA72C0B52918C
SHA-512:	AB9F6C10A05F1817EF71B7CE0DC30AE077EFD4FBB4A40CEF469D513D4D04797D6E54B4414F487A140626DAF12202D05B6C0E9CEBCC83D10FDC63EC5DC45C9744
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728884635);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728884635);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728884635);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172888

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	13187
Entropy (8bit):	5.477917448917752
Encrypted:	false
SSDEEP:	192:AnPOeRnLYbBp6qJ0aX+i6SEXKKqCNsx5RHWNBw8dXdSl:6DeTJUZ3nQHEwG0
MD5:	DF188DAD246163DBA6355D5D4E4D0C1F
SHA1:	3450F52434265FC4F5452AF4157D339E3FD70D2A
SHA-256:	92E1CDF1341CB079E685B52FE00191B2324080F1E509F211B5AAA72C0B52918C
SHA-512:	AB9F6C10A05F1817EF71B7CE0DC30AE077EFD4FBB4A40CEF469D513D4D04797D6E54B4414F487A140626DAF12202D05B6C0E9CEBCC83D10FDC63EC5DC45C9744
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1728884635);..user_pref("app.update.lastUpdateTime.background-update-timer", 1728884635);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1728884635);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 172888

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.362641079725671
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSUkLXnIrh/pnxQwRcWT5sKmgb0W3eHVpjO+jamhumJJwO2c0TiVm0n:GUpOx1kynRcoegJ3erjxjJJwc3zBt3
MD5:	4AD19868360D4B7BD163D7EB18C941B8
SHA1:	388E70A0216828EDA74628FD925F9ED2884C8B56
SHA-256:	B3AE703933B00708C3901B5D68CC2830CB6934B9FD00415D9C45FEEDB66A8B9C
SHA-512:	0B268909195B3284FA9EF895DC1FC9E80565185C4D388D4E7DF022B86FF7F5CE56A2AC1A1405ABDF5C8DF48EAEE6C14E182DEA3A09EC9293C142BB178CE12E74
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{5eb882d7-3438-460a-b6dd-e9c0f78b2b44}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728884639787,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..P05198...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...08894,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.362641079725671
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSUkLXnIrh/pnxQwRcWT5sKmgb0W3eHVpjO+jamhumJJwO2c0TiVm0n:GUpOx1kynRcoegJ3erjxjJJwc3zBt3
MD5:	4AD19868360D4B7BD163D7EB18C941B8
SHA1:	388E70A0216828EDA74628FD925F9ED2884C8B56
SHA-256:	B3AE703933B00708C3901B5D68CC2830CB6934B9FD00415D9C45FEEDB66A8B9C
SHA-512:	0B268909195B3284FA9EF895DC1FC9E80565185C4D388D4E7DF022B86FF7F5CE56A2AC1A1405ABDF5C8DF48EAEE6C14E182DEA3A09EC9293C142BB178CE12E74
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{5eb882d7-3438-460a-b6dd-e9c0f78b2b44}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728884639787,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..P05198...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...08894,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1576
Entropy (8bit):	6.362641079725671
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSUkLXnIrh/pnxQwRcWT5sKmgb0W3eHVpjO+jamhumJJwO2c0TiVm0n:GUpOx1kynRcoegJ3erjxjJJwc3zBt3
MD5:	4AD19868360D4B7BD163D7EB18C941B8
SHA1:	388E70A0216828EDA74628FD925F9ED2884C8B56
SHA-256:	B3AE703933B00708C3901B5D68CC2830CB6934B9FD00415D9C45FEEDB66A8B9C
SHA-512:	0B268909195B3284FA9EF895DC1FC9E80565185C4D388D4E7DF022B86FF7F5CE56A2AC1A1405ABDF5C8DF48EAEE6C14E182DEA3A09EC9293C142BB178CE12E74
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":7,"docshellUU...D"{5eb882d7-3438-460a-b6dd-e9c0f78b2b44}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":8,"persistK..+}],"lastAccessed":1728884639787,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2150633470....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...98952893-68ff-4a5d-a164-705c709ed3db","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..P05198...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...'b03116d8508741e1c0453eca6046028f71c7c2b904be5e0a0d4686...b1764f","pa..p"/","na..a"taarI\|.Tecure2..C.Donly..fexpiry...08894,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029869993784464
Encrypted:	false
SSDEEP:	96:ycFMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:MTEr5NX0z3DhRe
MD5:	D2E37193F94E5C9D126FB8B252DF0B57
SHA1:	4719D67AB1B9A8776EC7BFF667CEEA90F16858F5
SHA-256:	361A9622BA73482E06541AE86EE69E9B0276C7E7185E3017FB3BD0D3E3713BA1
SHA-512:	85F77A30F24D748BF8774FBB5C6EAF8F0C15E1C1EC7C39FFDE83606F5686234270F224CD883B5880C6DE13548D233AFBAFF47501E210824BFAC93DD307A92A37
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T05:43:34.692Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.029869993784464
Encrypted:	false
SSDEEP:	96:ycFMTEr5/lLmI2Ac1zzcxvbw6Kkgrc2Rn27:MTEr5NX0z3DhRe
MD5:	D2E37193F94E5C9D126FB8B252DF0B57
SHA1:	4719D67AB1B9A8776EC7BFF667CEEA90F16858F5
SHA-256:	361A9622BA73482E06541AE86EE69E9B0276C7E7185E3017FB3BD0D3E3713BA1
SHA-512:	85F77A30F24D748BF8774FBB5C6EAF8F0C15E1C1EC7C39FFDE83606F5686234270F224CD883B5880C6DE13548D233AFBAFF47501E210824BFAC93DD307A92A37
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-10-14T05:43:34.692Z","profileAgeCreated":1696426830133,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584682417422146
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	6f9619fa7cf95762cc014f84b308c135
SHA1:	d892a42085bdf61e59b949e401dc62f12c190a5e
SHA256:	b9d2c9598fb357f3e9009a5bd5ecddeb592c50486d2993141ffbfc3431ae03c8
SHA512:	6c1a013309c7cd7e94cecce0494bcf0eb3b79ae605fd4999a4e56edab1027b55dbf482956ca99c2f44ea7bc428c7b4c4423a3b01e48f01c36a12d8a8d921c608
SSDEEP:	12288:xqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/TM:xqDEvCTbMWu7rQYlBQcBiT6rprG8abM
TLSH:	D9159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x670C944D [Mon Oct 14 03:47:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F3340B5A1C3h
jmp 00007F3340B59ACFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3340B59CADh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3340B59C7Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3340B5C86Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F3340B5C8B8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F3340B5C8A1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	916d1854ab25a6538e89d3252494f2ea	False	0.31561511075949367	data	5.3740342706637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 06:02:16.683418036 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:16.683459044 CEST	443	49708	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:16.684262991 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:16.740489960 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:16.740505934 CEST	443	49708	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:17.029233932 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.029295921 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.029994011 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.031510115 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.031542063 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.057950020 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.057982922 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.061564922 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.063463926 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.063478947 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.074742079 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:17.079643965 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:17.081094980 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:17.081407070 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:17.086153030 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:17.261579990 CEST	443	49708	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:17.261709929 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:17.309674025 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:17.309701920 CEST	443	49708	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:17.309926987 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:17.310067892 CEST	443	49708	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:17.310138941 CEST	49708	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:17.335472107 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:17.335526943 CEST	443	49714	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:17.335591078 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:17.335743904 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:17.335755110 CEST	443	49714	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:17.339479923 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:17.339519978 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:17.339581013 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:17.341080904 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:17.341098070 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:17.542042971 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:17.602091074 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:17.603405952 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:17.603504896 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:17.609034061 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:17.611037016 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:17.611078024 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:17.696894884 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.698323011 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.703418016 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.716881037 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.725936890 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.728389978 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.737260103 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.737281084 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.756108999 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.756144047 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.756172895 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.756746054 CEST	443	49711	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.757510900 CEST	49711	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.763029099 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.763046026 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.763273954 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.763606071 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.763662100 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.763705015 CEST	443	49712	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.777734995 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.777796984 CEST	49712	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.784204006 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:17.784224033 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:17.856724024 CEST	443	49714	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:17.858786106 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:17.862679958 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:17.867428064 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:17.879046917 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.024595022 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.024615049 CEST	443	49714	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:18.025055885 CEST	443	49714	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:18.081321001 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.090879917 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.101610899 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.125906944 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.126010895 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.126205921 CEST	443	49714	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:18.129606962 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.129637003 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.129741907 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.129889011 CEST	443	49715	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.130199909 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.130232096 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.134455919 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.134455919 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.134541035 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.134789944 CEST	443	49716	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.139889002 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.139952898 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.141802073 CEST	49714	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.141822100 CEST	49715	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.141872883 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.154613972 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.154627085 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.162226915 CEST	49716	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.162228107 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.169930935 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.169980049 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.341614962 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.346920013 CEST	80	49713	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.359132051 CEST	49713	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.360946894 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.365858078 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.366005898 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.366478920 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.368956089 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.371228933 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.373730898 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.373823881 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.374002934 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.378782988 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.440737963 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:18.440753937 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:18.441750050 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:18.445485115 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:18.445522070 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:18.457264900 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:18.457289934 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:18.457406044 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:18.457484961 CEST	443	49717	142.250.186.142	192.168.2.5
Oct 14, 2024 06:02:18.465711117 CEST	49717	443	192.168.2.5	142.250.186.142
Oct 14, 2024 06:02:18.603563070 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.603641033 CEST	443	49723	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:18.608968019 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.609457016 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:18.609476089 CEST	443	49723	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:18.625366926 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.625386000 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.629411936 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.640260935 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.640269995 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.640391111 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.640712023 CEST	443	49718	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.649017096 CEST	49718	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.663012028 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:18.663053989 CEST	443	49724	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:18.663870096 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:18.665783882 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:18.665810108 CEST	443	49724	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:18.673432112 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.673449993 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.688536882 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.694339991 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.694372892 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.694462061 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.694634914 CEST	443	49719	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:18.695209980 CEST	49719	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:18.825754881 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.846254110 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:18.869088888 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:18.906923056 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:19.097368002 CEST	443	49723	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:19.097460032 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:19.101422071 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:19.101445913 CEST	443	49723	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:19.101783991 CEST	443	49723	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:19.104115009 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:19.104218006 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:19.104302883 CEST	443	49723	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:19.104393959 CEST	49723	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:19.161845922 CEST	443	49724	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:19.161931038 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:19.167815924 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:19.167849064 CEST	443	49724	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:19.167929888 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:19.168205023 CEST	443	49724	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:19.168276072 CEST	49724	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:19.681370974 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:19.681407928 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:19.681871891 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:19.685889006 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:19.687015057 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:19.688113928 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:19.688127041 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:19.708678007 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:19.708759069 CEST	443	49727	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:19.709201097 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:19.709414005 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:19.709449053 CEST	443	49727	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:19.780025959 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:19.825268984 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:20.014432907 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:20.022227049 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:20.113776922 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.113801003 CEST	443	49728	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:20.113915920 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.115983009 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.115994930 CEST	443	49728	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:20.117317915 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:20.157464981 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:20.166265965 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.166400909 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.171788931 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.171817064 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.171988964 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.172038078 CEST	443	49726	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.172481060 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.172537088 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.172550917 CEST	49726	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.172646999 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.174691916 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.174706936 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.195902109 CEST	443	49727	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.207425117 CEST	443	49727	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.211078882 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.215795040 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.215809107 CEST	443	49727	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.216697931 CEST	443	49727	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.218610048 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.218734026 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.218978882 CEST	49727	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.219151020 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.219197035 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.226490974 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.226722002 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.226738930 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.625894070 CEST	443	49728	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:20.625986099 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.630863905 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.630872965 CEST	443	49728	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:20.630944967 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.631134033 CEST	443	49728	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:20.632375956 CEST	49728	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:20.666346073 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.666424036 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.670577049 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.670584917 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.670674086 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.670751095 CEST	443	49729	34.117.188.166	192.168.2.5
Oct 14, 2024 06:02:20.670829058 CEST	49729	443	192.168.2.5	34.117.188.166
Oct 14, 2024 06:02:20.707567930 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.707583904 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.710031986 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.713088036 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.713116884 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.713442087 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.715019941 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.715096951 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:20.715187073 CEST	443	49730	34.160.144.191	192.168.2.5
Oct 14, 2024 06:02:20.715265989 CEST	49730	443	192.168.2.5	34.160.144.191
Oct 14, 2024 06:02:22.948940039 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:22.955135107 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:23.048011065 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:23.097198963 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:23.759617090 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:23.764548063 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:23.770312071 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:23.770358086 CEST	443	49741	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:23.770668983 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:23.772089958 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:23.772108078 CEST	443	49741	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:23.859653950 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:23.921643019 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:23.953488111 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:23.958374977 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:23.966789961 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:23.966840029 CEST	443	49742	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:23.966974020 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:23.968358994 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:23.968377113 CEST	443	49742	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:24.050940990 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:24.098464966 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:24.253896952 CEST	443	49741	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.257795095 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.263890028 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.263907909 CEST	443	49741	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.263977051 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.264058113 CEST	443	49741	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.277705908 CEST	49741	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.382776022 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:24.387636900 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:24.442059994 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.442117929 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.459798098 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.461330891 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:24.461388111 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.462970018 CEST	443	49742	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:24.467422009 CEST	443	49742	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:24.480073929 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:24.482549906 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:24.541209936 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:24.940798998 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.940813065 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:24.943665981 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:25.428138971 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:25.428160906 CEST	443	49742	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:25.428338051 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:25.428564072 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:25.428643942 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:25.428673983 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:25.428683043 CEST	443	49742	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:25.428832054 CEST	443	49748	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:25.428940058 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:25.428968906 CEST	443	49756	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:25.429878950 CEST	49748	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:25.429889917 CEST	49742	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:25.429924011 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:25.431437016 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:25.431453943 CEST	443	49756	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:25.900758982 CEST	443	49756	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:25.902889013 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:26.023586988 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:26.023586988 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:26.023610115 CEST	443	49756	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:26.023782015 CEST	443	49756	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:26.023890972 CEST	49756	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:29.233144999 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:29.237900972 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:29.331871033 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:29.378041983 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:29.849793911 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:29.854631901 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:29.949613094 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:30.013103962 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:30.770299911 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:30.775216103 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:30.780417919 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:30.780457973 CEST	443	49795	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:30.781965017 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:30.784456015 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:30.784480095 CEST	443	49795	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:30.868216991 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:30.914398909 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:31.276340008 CEST	443	49795	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:31.276566029 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:31.468497038 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:31.468516111 CEST	443	49795	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:31.468599081 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:31.469095945 CEST	443	49795	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:31.469358921 CEST	49795	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:31.515408993 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.515453100 CEST	443	49801	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:31.519696951 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.519696951 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.519736052 CEST	443	49801	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:31.523689032 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.523703098 CEST	443	49802	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:31.523772001 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.524126053 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.524139881 CEST	443	49802	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:31.570367098 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.570415020 CEST	443	49803	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:31.571144104 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:31.576131105 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:31.577842951 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.579211950 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:31.579231977 CEST	443	49803	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:31.671509981 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:31.690485001 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:31.695374012 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:31.725079060 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:31.788239956 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:31.840993881 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:32.003307104 CEST	443	49801	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.003448009 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.020492077 CEST	443	49802	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.020570993 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.056982994 CEST	443	49803	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.057018042 CEST	443	49803	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.057071924 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.110650063 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.139163017 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.139187098 CEST	443	49801	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.140125036 CEST	443	49801	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.152345896 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.152364969 CEST	443	49802	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.152754068 CEST	443	49802	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:32.195341110 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:32.210819006 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.092741966 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.092926979 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.093185902 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.093251944 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.093429089 CEST	443	49802	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:33.093549013 CEST	443	49801	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:33.093606949 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.093635082 CEST	443	49803	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:33.093647957 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.094172001 CEST	443	49803	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:33.095568895 CEST	49802	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.095568895 CEST	49801	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:33.095587015 CEST	49803	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.077796936 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.084399939 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.090292931 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.090308905 CEST	443	49820	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.095747948 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.097163916 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.097177982 CEST	443	49820	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.180687904 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.232223034 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.262485027 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.269289970 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.361880064 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.417257071 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.580934048 CEST	443	49820	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.581079960 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.586544037 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.586553097 CEST	443	49820	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.586731911 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.587006092 CEST	443	49820	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.590589046 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.595339060 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.595395088 CEST	443	49825	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.595439911 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.596283913 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.596358061 CEST	49820	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.598522902 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:34.598561049 CEST	443	49825	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:34.690150023 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.693480968 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.698297977 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.733722925 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:34.791450024 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:34.834036112 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:35.091001987 CEST	443	49825	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:35.091103077 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:35.097357988 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:35.097387075 CEST	443	49825	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:35.097461939 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:35.097608089 CEST	443	49825	34.120.208.123	192.168.2.5
Oct 14, 2024 06:02:35.098728895 CEST	49825	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:02:35.100450039 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:35.105320930 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:35.200844049 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:35.204551935 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:35.209470987 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:35.250447989 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:35.302232027 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:35.350753069 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:41.534898043 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:41.534946918 CEST	443	49868	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:41.535315037 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:41.539406061 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:41.539424896 CEST	443	49868	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:42.069545031 CEST	443	49868	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:42.069624901 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:42.073303938 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:42.073309898 CEST	443	49868	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:42.073420048 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:42.073558092 CEST	443	49868	34.107.243.93	192.168.2.5
Oct 14, 2024 06:02:42.073623896 CEST	49868	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:02:42.077056885 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:42.082175016 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:42.176987886 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:42.180736065 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:42.187239885 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:42.224241972 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:42.280065060 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:42.324513912 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:44.793077946 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:44.793113947 CEST	443	49889	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:44.798782110 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:44.798954964 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:44.798969984 CEST	443	49889	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:44.804177046 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:44.804208040 CEST	443	49890	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:44.804363012 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:44.804616928 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:44.804630041 CEST	443	49890	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:44.809717894 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:44.809768915 CEST	443	49891	52.222.236.80	192.168.2.5
Oct 14, 2024 06:02:44.810009956 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:44.810090065 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:44.810101986 CEST	443	49891	52.222.236.80	192.168.2.5
Oct 14, 2024 06:02:44.856745005 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:44.856770039 CEST	443	49892	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:44.857875109 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:44.859364033 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:44.859379053 CEST	443	49892	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:44.870917082 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:44.870927095 CEST	443	49893	35.201.103.21	192.168.2.5
Oct 14, 2024 06:02:44.873542070 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:44.874911070 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:44.874922037 CEST	443	49893	35.201.103.21	192.168.2.5
Oct 14, 2024 06:02:45.275856972 CEST	443	49890	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.275943995 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.278080940 CEST	443	49889	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.278153896 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.278801918 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.278817892 CEST	443	49890	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.279027939 CEST	443	49890	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.281277895 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.281289101 CEST	443	49889	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.281501055 CEST	443	49889	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.284329891 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.284491062 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.284506083 CEST	443	49890	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.284831047 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.284885883 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.284976006 CEST	443	49889	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.285140038 CEST	49890	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.285151958 CEST	49889	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.289228916 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.294070959 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.351774931 CEST	443	49892	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:45.352350950 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:45.356422901 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:45.356431961 CEST	443	49892	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:45.356524944 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:45.357120037 CEST	443	49892	35.190.72.216	192.168.2.5
Oct 14, 2024 06:02:45.357260942 CEST	49892	443	192.168.2.5	35.190.72.216
Oct 14, 2024 06:02:45.369760036 CEST	443	49893	35.201.103.21	192.168.2.5
Oct 14, 2024 06:02:45.369839907 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:45.374537945 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:45.374546051 CEST	443	49893	35.201.103.21	192.168.2.5
Oct 14, 2024 06:02:45.374610901 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:45.374701023 CEST	443	49893	35.201.103.21	192.168.2.5
Oct 14, 2024 06:02:45.375412941 CEST	49893	443	192.168.2.5	35.201.103.21
Oct 14, 2024 06:02:45.388334990 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.388364077 CEST	443	49899	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.389066935 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.389159918 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.389353991 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.389368057 CEST	443	49899	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.392149925 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.396940947 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.433511019 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.490236998 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.533706903 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.562529087 CEST	443	49891	52.222.236.80	192.168.2.5
Oct 14, 2024 06:02:45.562844992 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:45.565680027 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:45.565687895 CEST	443	49891	52.222.236.80	192.168.2.5
Oct 14, 2024 06:02:45.566092014 CEST	443	49891	52.222.236.80	192.168.2.5
Oct 14, 2024 06:02:45.568429947 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:45.568572044 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:45.568666935 CEST	443	49891	52.222.236.80	192.168.2.5
Oct 14, 2024 06:02:45.575082064 CEST	49891	443	192.168.2.5	52.222.236.80
Oct 14, 2024 06:02:45.577935934 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.577976942 CEST	443	49900	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.578427076 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.578566074 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.578577995 CEST	443	49900	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.580315113 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.580339909 CEST	443	49901	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.580612898 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.580995083 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.581006050 CEST	443	49901	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.584009886 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.584019899 CEST	443	49902	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.584427118 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.584563971 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:45.584573984 CEST	443	49902	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:45.586446047 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.591248989 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.686412096 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.691190004 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.696136951 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.734450102 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.788911104 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.834619999 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.868638039 CEST	443	49899	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.869431019 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.872323036 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.872329950 CEST	443	49899	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.872647047 CEST	443	49899	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.874738932 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.874738932 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.874914885 CEST	443	49899	34.149.100.209	192.168.2.5
Oct 14, 2024 06:02:45.876108885 CEST	49899	443	192.168.2.5	34.149.100.209
Oct 14, 2024 06:02:45.879445076 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:45.884249926 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.992819071 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:45.996692896 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:46.001564980 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:46.035144091 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:46.050740957 CEST	443	49900	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.050973892 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.053868055 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.053883076 CEST	443	49900	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.054245949 CEST	443	49900	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.056912899 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.057022095 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.057117939 CEST	443	49900	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.058259010 CEST	49900	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.059092045 CEST	443	49902	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.061079979 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.063494921 CEST	443	49901	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.064054966 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.064074039 CEST	443	49902	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.064186096 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:46.064290047 CEST	443	49902	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.065145969 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.068025112 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.068030119 CEST	443	49901	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.068939924 CEST	443	49901	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.069083929 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:46.071507931 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.071583986 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.071659088 CEST	443	49902	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.072097063 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.072149038 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.072426081 CEST	49902	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.072500944 CEST	443	49901	35.244.181.201	192.168.2.5
Oct 14, 2024 06:02:46.072581053 CEST	49901	443	192.168.2.5	35.244.181.201
Oct 14, 2024 06:02:46.097954988 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:46.151050091 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:46.164053917 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:46.168402910 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:46.173300028 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:46.204483986 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:46.266046047 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:46.320424080 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:56.013652086 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:56.018588066 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:56.113852978 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:56.120613098 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:56.125462055 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:56.164124966 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:02:56.218883991 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:02:56.264398098 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:02.119976044 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.120002985 CEST	443	50011	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:02.120136023 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.122175932 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.122190952 CEST	443	50011	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:02.612610102 CEST	443	50011	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:02.612719059 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.617799044 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.617813110 CEST	443	50011	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:02.617898941 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.618024111 CEST	443	50011	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:02.619076014 CEST	50011	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:02.620959044 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:02.625808001 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:02.721039057 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:02.729551077 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:02.734375954 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:02.767537117 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:02.827513933 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:02.867839098 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:12.729226112 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:12.734118938 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:12.827770948 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:12.832531929 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:15.723638058 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:15.723690033 CEST	443	50029	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:15.723987103 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:15.724121094 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:15.724148035 CEST	443	50029	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:15.734386921 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:15.734432936 CEST	443	50030	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:15.734719992 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:15.734858990 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:15.734884024 CEST	443	50030	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.203762054 CEST	443	50029	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.205482006 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.209352970 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.209367990 CEST	443	50029	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.209760904 CEST	443	50029	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.212179899 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.212284088 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.212388039 CEST	443	50029	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.212445974 CEST	50029	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.216321945 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:16.220508099 CEST	443	50030	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.220587969 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.221162081 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:16.224009037 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.224025965 CEST	443	50030	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.224914074 CEST	443	50030	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.226516008 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.226604939 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.226938009 CEST	443	50030	34.120.208.123	192.168.2.5
Oct 14, 2024 06:03:16.227003098 CEST	50030	443	192.168.2.5	34.120.208.123
Oct 14, 2024 06:03:16.316057920 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:16.319032907 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:16.323868036 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:16.368932962 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:16.416496992 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:16.468738079 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:26.319494009 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:26.324273109 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:26.419521093 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:26.424312115 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:36.325498104 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:36.330622911 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:36.425796032 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:36.430727005 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:42.981837034 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:42.981859922 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:42.981986046 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:42.983407974 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:42.983422995 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:43.479119062 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:43.479211092 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:43.484216928 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:43.484226942 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:43.484245062 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:43.484440088 CEST	443	50031	34.107.243.93	192.168.2.5
Oct 14, 2024 06:03:43.484736919 CEST	50031	443	192.168.2.5	34.107.243.93
Oct 14, 2024 06:03:43.487446070 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:43.492338896 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:43.588236094 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:43.591731071 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:43.597589970 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:43.631874084 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:43.690738916 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:43.732151031 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:53.597942114 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:53.602891922 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:03:53.698189020 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:03:53.703114986 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:04:03.607292891 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:04:03.613178968 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:04:03.704771996 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:04:03.712928057 CEST	80	49720	34.107.221.82	192.168.2.5
Oct 14, 2024 06:04:13.616436958 CEST	49721	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:04:13.621439934 CEST	80	49721	34.107.221.82	192.168.2.5
Oct 14, 2024 06:04:13.716717958 CEST	49720	80	192.168.2.5	34.107.221.82
Oct 14, 2024 06:04:13.721707106 CEST	80	49720	34.107.221.82	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2024 06:02:16.684195042 CEST	60912	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:16.690954924 CEST	53	60912	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:16.691939116 CEST	61112	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:16.699249029 CEST	53	61112	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.021166086 CEST	50633	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.021466017 CEST	62839	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.028263092 CEST	53	50633	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.029985905 CEST	56172	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.034295082 CEST	50393	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.036699057 CEST	53	56172	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.037163973 CEST	49924	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.040940046 CEST	53	50393	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.043618917 CEST	53	49924	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.044487953 CEST	52033	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.052201986 CEST	53	52033	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.331990004 CEST	49185	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.336596012 CEST	57475	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.338819027 CEST	53	49185	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.342573881 CEST	62049	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.345300913 CEST	53	57475	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.346164942 CEST	65065	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.349286079 CEST	53	62049	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.352672100 CEST	53	65065	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.353617907 CEST	58336	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.360342026 CEST	53	58336	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.579420090 CEST	49227	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.586426020 CEST	53	49227	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.604486942 CEST	60962	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.611831903 CEST	53	60962	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.613296986 CEST	57844	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.620542049 CEST	53	57844	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.698371887 CEST	59448	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.705137014 CEST	53	59448	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:17.750165939 CEST	64212	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:17.756911993 CEST	53	64212	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:18.347408056 CEST	56301	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:18.401546001 CEST	57851	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:18.447226048 CEST	54671	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:18.454236984 CEST	53	54671	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:18.459043026 CEST	53	64272	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:18.474853992 CEST	49200	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:18.481694937 CEST	53	49200	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:18.490894079 CEST	55983	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:18.497812033 CEST	53	55983	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:19.688925028 CEST	61514	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:19.696096897 CEST	53	61514	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:19.697139025 CEST	61907	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:19.704977036 CEST	53	61907	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:19.705869913 CEST	54867	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:19.713123083 CEST	53	54867	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:20.114239931 CEST	49751	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:20.124089003 CEST	53	49751	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:20.124891996 CEST	53764	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:20.132421017 CEST	53	53764	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:22.962197065 CEST	52820	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:22.971668005 CEST	53	52820	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:22.987518072 CEST	52680	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:22.995773077 CEST	53	52680	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:23.010710001 CEST	49178	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:23.019680977 CEST	53	49178	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:23.959110022 CEST	61051	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:23.965981007 CEST	53	61051	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:23.967143059 CEST	58162	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:23.974127054 CEST	53	58162	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:23.974633932 CEST	63116	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:23.981865883 CEST	53	63116	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:29.233036041 CEST	59271	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:29.239600897 CEST	53	59271	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:29.845947027 CEST	63556	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:29.852727890 CEST	53	63556	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:29.853552103 CEST	54336	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:29.860230923 CEST	53	54336	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:31.516197920 CEST	54741	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:31.522938967 CEST	53	54741	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.078988075 CEST	61999	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.079291105 CEST	65394	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.079503059 CEST	55246	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.087217093 CEST	53	65394	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.087678909 CEST	53	61999	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.088143110 CEST	53	55246	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.100265026 CEST	58934	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.105341911 CEST	60755	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.107403994 CEST	61845	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.108400106 CEST	53	58934	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.111411095 CEST	64240	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.114031076 CEST	53	60755	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.116681099 CEST	59710	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.116872072 CEST	53	61845	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.118475914 CEST	53	64240	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.120604038 CEST	50352	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.120908022 CEST	60970	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.123522043 CEST	53	59710	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.128353119 CEST	53	50352	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.128417969 CEST	53	60970	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.132756948 CEST	50715	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.137345076 CEST	55145	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.141549110 CEST	53	50715	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.143345118 CEST	62842	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.150703907 CEST	53	55145	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.152046919 CEST	53	62842	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.152690887 CEST	65242	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.157043934 CEST	61667	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:34.163100958 CEST	53	65242	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:34.164611101 CEST	53	61667	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:41.527187109 CEST	56294	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:41.534028053 CEST	53	56294	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:41.534898043 CEST	54444	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:41.541688919 CEST	53	54444	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.794150114 CEST	54783	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.800740957 CEST	56909	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.801084995 CEST	53	54783	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.808105946 CEST	53	56909	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.809921980 CEST	61589	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.816600084 CEST	53	61589	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.817095995 CEST	63721	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.823916912 CEST	53	63721	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.858771086 CEST	53348	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.865648031 CEST	53	53348	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.871063948 CEST	52307	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.877585888 CEST	53	52307	1.1.1.1	192.168.2.5
Oct 14, 2024 06:02:44.879622936 CEST	54358	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:02:44.886300087 CEST	53	54358	1.1.1.1	192.168.2.5
Oct 14, 2024 06:03:02.119878054 CEST	52429	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:03:02.126728058 CEST	53	52429	1.1.1.1	192.168.2.5
Oct 14, 2024 06:03:15.722752094 CEST	64350	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:03:15.729367971 CEST	53	64350	1.1.1.1	192.168.2.5
Oct 14, 2024 06:03:16.216902018 CEST	53518	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:03:42.973016977 CEST	57516	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:03:42.979830027 CEST	53	57516	1.1.1.1	192.168.2.5
Oct 14, 2024 06:03:42.981853008 CEST	61778	53	192.168.2.5	1.1.1.1
Oct 14, 2024 06:03:42.988701105 CEST	53	61778	1.1.1.1	192.168.2.5
Oct 14, 2024 06:03:43.487746000 CEST	62473	53	192.168.2.5	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 14, 2024 06:02:16.684195042 CEST	192.168.2.5	1.1.1.1	0xaa9c	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:16.691939116 CEST	192.168.2.5	1.1.1.1	0x2bae	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:17.021166086 CEST	192.168.2.5	1.1.1.1	0x6235	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.021466017 CEST	192.168.2.5	1.1.1.1	0x8680	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.029985905 CEST	192.168.2.5	1.1.1.1	0xf158	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.034295082 CEST	192.168.2.5	1.1.1.1	0xffb9	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.037163973 CEST	192.168.2.5	1.1.1.1	0x50f2	Standard query (0)	youtube.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:17.044487953 CEST	192.168.2.5	1.1.1.1	0x766e	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:17.331990004 CEST	192.168.2.5	1.1.1.1	0x1d49	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.336596012 CEST	192.168.2.5	1.1.1.1	0xfd66	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.342573881 CEST	192.168.2.5	1.1.1.1	0xa8a	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.346164942 CEST	192.168.2.5	1.1.1.1	0x7a47	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:17.353617907 CEST	192.168.2.5	1.1.1.1	0x1923	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:17.579420090 CEST	192.168.2.5	1.1.1.1	0xffb7	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.604486942 CEST	192.168.2.5	1.1.1.1	0x9603	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.613296986 CEST	192.168.2.5	1.1.1.1	0x7d36	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:17.698371887 CEST	192.168.2.5	1.1.1.1	0x1df7	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.750165939 CEST	192.168.2.5	1.1.1.1	0x7bb3	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.347408056 CEST	192.168.2.5	1.1.1.1	0x7a10	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.401546001 CEST	192.168.2.5	1.1.1.1	0xf024	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.447226048 CEST	192.168.2.5	1.1.1.1	0x4e22	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.474853992 CEST	192.168.2.5	1.1.1.1	0x5648	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.490894079 CEST	192.168.2.5	1.1.1.1	0x5da3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:19.688925028 CEST	192.168.2.5	1.1.1.1	0x47ad	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:19.697139025 CEST	192.168.2.5	1.1.1.1	0xee9a	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:19.705869913 CEST	192.168.2.5	1.1.1.1	0x1e21	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:20.114239931 CEST	192.168.2.5	1.1.1.1	0x50e9	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:20.124891996 CEST	192.168.2.5	1.1.1.1	0xfbab	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:22.962197065 CEST	192.168.2.5	1.1.1.1	0x5969	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:22.987518072 CEST	192.168.2.5	1.1.1.1	0x8bf0	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:23.010710001 CEST	192.168.2.5	1.1.1.1	0x8d5d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:23.959110022 CEST	192.168.2.5	1.1.1.1	0xe895	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:23.967143059 CEST	192.168.2.5	1.1.1.1	0x7529	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:23.974633932 CEST	192.168.2.5	1.1.1.1	0x9555	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:29.233036041 CEST	192.168.2.5	1.1.1.1	0x51e9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:29.845947027 CEST	192.168.2.5	1.1.1.1	0xd811	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:29.853552103 CEST	192.168.2.5	1.1.1.1	0x8063	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:31.516197920 CEST	192.168.2.5	1.1.1.1	0xb96a	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:34.078988075 CEST	192.168.2.5	1.1.1.1	0x1eba	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.079291105 CEST	192.168.2.5	1.1.1.1	0x8f85	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.079503059 CEST	192.168.2.5	1.1.1.1	0x630f	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.100265026 CEST	192.168.2.5	1.1.1.1	0xc317	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.105341911 CEST	192.168.2.5	1.1.1.1	0x2a65	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.107403994 CEST	192.168.2.5	1.1.1.1	0xb3f5	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.111411095 CEST	192.168.2.5	1.1.1.1	0x8730	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Oct 14, 2024 06:02:34.116681099 CEST	192.168.2.5	1.1.1.1	0xebd7	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:34.120604038 CEST	192.168.2.5	1.1.1.1	0xe63b	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:34.120908022 CEST	192.168.2.5	1.1.1.1	0x7305	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.132756948 CEST	192.168.2.5	1.1.1.1	0x8c5b	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.137345076 CEST	192.168.2.5	1.1.1.1	0xa829	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.143345118 CEST	192.168.2.5	1.1.1.1	0xfa9f	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.152690887 CEST	192.168.2.5	1.1.1.1	0x7e12	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:34.157043934 CEST	192.168.2.5	1.1.1.1	0xe576	Standard query (0)	twitter.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:41.527187109 CEST	192.168.2.5	1.1.1.1	0xafd9	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:41.534898043 CEST	192.168.2.5	1.1.1.1	0x11b6	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:02:44.794150114 CEST	192.168.2.5	1.1.1.1	0xb477	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Oct 14, 2024 06:02:44.800740957 CEST	192.168.2.5	1.1.1.1	0x5f0e	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.809921980 CEST	192.168.2.5	1.1.1.1	0xb5b7	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.817095995 CEST	192.168.2.5	1.1.1.1	0xa38b	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Oct 14, 2024 06:02:44.858771086 CEST	192.168.2.5	1.1.1.1	0xeaf4	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.871063948 CEST	192.168.2.5	1.1.1.1	0xd628	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.879622936 CEST	192.168.2.5	1.1.1.1	0x1ae0	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:03:02.119878054 CEST	192.168.2.5	1.1.1.1	0x68a8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:03:15.722752094 CEST	192.168.2.5	1.1.1.1	0x1d39	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:03:16.216902018 CEST	192.168.2.5	1.1.1.1	0x65bf	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:03:42.973016977 CEST	192.168.2.5	1.1.1.1	0xa428	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:03:42.981853008 CEST	192.168.2.5	1.1.1.1	0xf0a9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Oct 14, 2024 06:03:43.487746000 CEST	192.168.2.5	1.1.1.1	0xca7a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 14, 2024 06:02:16.655255079 CEST	1.1.1.1	192.168.2.5	0xafbf	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:16.690954924 CEST	1.1.1.1	192.168.2.5	0xaa9c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.028263092 CEST	1.1.1.1	192.168.2.5	0x6235	No error (0)	youtube.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.028497934 CEST	1.1.1.1	192.168.2.5	0x8680	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:17.028497934 CEST	1.1.1.1	192.168.2.5	0x8680	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.036699057 CEST	1.1.1.1	192.168.2.5	0xf158	No error (0)	youtube.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.040940046 CEST	1.1.1.1	192.168.2.5	0xffb9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.043618917 CEST	1.1.1.1	192.168.2.5	0x50f2	No error (0)	youtube.com			28	IN (0x0001)	false
Oct 14, 2024 06:02:17.052201986 CEST	1.1.1.1	192.168.2.5	0x766e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 06:02:17.334687948 CEST	1.1.1.1	192.168.2.5	0x60d0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:17.334687948 CEST	1.1.1.1	192.168.2.5	0x60d0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.338819027 CEST	1.1.1.1	192.168.2.5	0x1d49	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.345300913 CEST	1.1.1.1	192.168.2.5	0xfd66	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.349286079 CEST	1.1.1.1	192.168.2.5	0xa8a	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.586426020 CEST	1.1.1.1	192.168.2.5	0xffb7	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:17.586426020 CEST	1.1.1.1	192.168.2.5	0xffb7	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.611831903 CEST	1.1.1.1	192.168.2.5	0x9603	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.705137014 CEST	1.1.1.1	192.168.2.5	0x1df7	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.756911993 CEST	1.1.1.1	192.168.2.5	0x7bb3	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:17.756911993 CEST	1.1.1.1	192.168.2.5	0x7bb3	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.353991032 CEST	1.1.1.1	192.168.2.5	0x7a10	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:18.353991032 CEST	1.1.1.1	192.168.2.5	0x7a10	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.409888983 CEST	1.1.1.1	192.168.2.5	0xf024	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:18.454236984 CEST	1.1.1.1	192.168.2.5	0x4e22	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.481694937 CEST	1.1.1.1	192.168.2.5	0x5648	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:18.584815025 CEST	1.1.1.1	192.168.2.5	0x6170	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:18.584815025 CEST	1.1.1.1	192.168.2.5	0x6170	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:19.696096897 CEST	1.1.1.1	192.168.2.5	0x47ad	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:19.696096897 CEST	1.1.1.1	192.168.2.5	0x47ad	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:19.696096897 CEST	1.1.1.1	192.168.2.5	0x47ad	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:19.704977036 CEST	1.1.1.1	192.168.2.5	0xee9a	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:19.713123083 CEST	1.1.1.1	192.168.2.5	0x1e21	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Oct 14, 2024 06:02:20.112838030 CEST	1.1.1.1	192.168.2.5	0x39a3	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:20.124089003 CEST	1.1.1.1	192.168.2.5	0x50e9	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:22.971668005 CEST	1.1.1.1	192.168.2.5	0x5969	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:22.971668005 CEST	1.1.1.1	192.168.2.5	0x5969	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:22.971668005 CEST	1.1.1.1	192.168.2.5	0x5969	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:22.995773077 CEST	1.1.1.1	192.168.2.5	0x8bf0	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:23.767170906 CEST	1.1.1.1	192.168.2.5	0x4b17	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:23.965981007 CEST	1.1.1.1	192.168.2.5	0xe895	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:23.965981007 CEST	1.1.1.1	192.168.2.5	0xe895	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:23.974127054 CEST	1.1.1.1	192.168.2.5	0x7529	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:29.239600897 CEST	1.1.1.1	192.168.2.5	0x51e9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:29.852727890 CEST	1.1.1.1	192.168.2.5	0xd811	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087217093 CEST	1.1.1.1	192.168.2.5	0x8f85	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087217093 CEST	1.1.1.1	192.168.2.5	0x8f85	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.186.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		172.217.23.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.087678909 CEST	1.1.1.1	192.168.2.5	0x1eba	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.088143110 CEST	1.1.1.1	192.168.2.5	0x630f	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:34.088143110 CEST	1.1.1.1	192.168.2.5	0x630f	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.108400106 CEST	1.1.1.1	192.168.2.5	0xc317	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.114031076 CEST	1.1.1.1	192.168.2.5	0x2a65	No error (0)	star-mini.c10r.facebook.com		157.240.253.35	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.184.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.116872072 CEST	1.1.1.1	192.168.2.5	0xb3f5	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.118475914 CEST	1.1.1.1	192.168.2.5	0x8730	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Oct 14, 2024 06:02:34.123522043 CEST	1.1.1.1	192.168.2.5	0xebd7	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Oct 14, 2024 06:02:34.128353119 CEST	1.1.1.1	192.168.2.5	0xe63b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 06:02:34.128353119 CEST	1.1.1.1	192.168.2.5	0xe63b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 06:02:34.128353119 CEST	1.1.1.1	192.168.2.5	0xe63b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 06:02:34.128353119 CEST	1.1.1.1	192.168.2.5	0xe63b	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Oct 14, 2024 06:02:34.128417969 CEST	1.1.1.1	192.168.2.5	0x7305	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:34.128417969 CEST	1.1.1.1	192.168.2.5	0x7305	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.128417969 CEST	1.1.1.1	192.168.2.5	0x7305	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.128417969 CEST	1.1.1.1	192.168.2.5	0x7305	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.128417969 CEST	1.1.1.1	192.168.2.5	0x7305	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.141549110 CEST	1.1.1.1	192.168.2.5	0x8c5b	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.150703907 CEST	1.1.1.1	192.168.2.5	0xa829	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.150703907 CEST	1.1.1.1	192.168.2.5	0xa829	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.150703907 CEST	1.1.1.1	192.168.2.5	0xa829	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.150703907 CEST	1.1.1.1	192.168.2.5	0xa829	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:34.152046919 CEST	1.1.1.1	192.168.2.5	0xfa9f	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:41.534028053 CEST	1.1.1.1	192.168.2.5	0xafd9	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.808105946 CEST	1.1.1.1	192.168.2.5	0x5f0e	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.808105946 CEST	1.1.1.1	192.168.2.5	0x5f0e	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.808105946 CEST	1.1.1.1	192.168.2.5	0x5f0e	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.808105946 CEST	1.1.1.1	192.168.2.5	0x5f0e	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.816600084 CEST	1.1.1.1	192.168.2.5	0xb5b7	No error (0)	services.addons.mozilla.org		52.222.236.48	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.816600084 CEST	1.1.1.1	192.168.2.5	0xb5b7	No error (0)	services.addons.mozilla.org		52.222.236.80	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.816600084 CEST	1.1.1.1	192.168.2.5	0xb5b7	No error (0)	services.addons.mozilla.org		52.222.236.120	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.816600084 CEST	1.1.1.1	192.168.2.5	0xb5b7	No error (0)	services.addons.mozilla.org		52.222.236.23	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.865648031 CEST	1.1.1.1	192.168.2.5	0xeaf4	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:44.865648031 CEST	1.1.1.1	192.168.2.5	0xeaf4	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:44.877585888 CEST	1.1.1.1	192.168.2.5	0xd628	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:02:46.073645115 CEST	1.1.1.1	192.168.2.5	0xd71c	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:02:46.073645115 CEST	1.1.1.1	192.168.2.5	0xd71c	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:03:15.715799093 CEST	1.1.1.1	192.168.2.5	0x7fe4	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:03:16.223619938 CEST	1.1.1.1	192.168.2.5	0x65bf	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:03:16.223619938 CEST	1.1.1.1	192.168.2.5	0x65bf	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:03:42.979830027 CEST	1.1.1.1	192.168.2.5	0xa428	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Oct 14, 2024 06:03:43.494667053 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 14, 2024 06:03:43.494667053 CEST	1.1.1.1	192.168.2.5	0xca7a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	34.107.221.82	80	1352	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:17.081407070 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:17.542042971 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55199 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49720	34.107.221.82	80	1352	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:18.366478920 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:18.825754881 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36562 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:19.681871891 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:19.780025959 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36563 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:22.948940039 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:23.048011065 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36567 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:23.953488111 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:24.050940990 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36568 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:29.233144999 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:29.331871033 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36573 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:30.770299911 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:30.868216991 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36574 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:31.690485001 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:31.788239956 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36575 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:34.262485027 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:34.361880064 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36578 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:34.693480968 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:34.791450024 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36578 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:35.204551935 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:35.302232027 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36579 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:42.180736065 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:42.280065060 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36586 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:45.392149925 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:45.490236998 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36589 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:45.691190004 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:45.788911104 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36589 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:45.996692896 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:46.097954988 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36590 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:46.168402910 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:46.266046047 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36590 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:02:56.120613098 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:02:56.218883991 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36600 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:03:02.729551077 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:03:02.827513933 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36606 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:03:12.827770948 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:03:16.319032907 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:03:16.416496992 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36620 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:03:26.419521093 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:03:36.425796032 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:03:43.591731071 CEST	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Oct 14, 2024 06:03:43.690738916 CEST	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sun, 13 Oct 2024 17:52:56 GMT Age: 36647 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Oct 14, 2024 06:03:53.698189020 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:04:03.704771996 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:04:13.716717958 CEST	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49721	34.107.221.82	80	1352	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Oct 14, 2024 06:02:18.374002934 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:18.846254110 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55200 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:20.014432907 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:20.117317915 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55202 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:23.759617090 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:23.859653950 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55205 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:24.382776022 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:24.482549906 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55206 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:29.849793911 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:29.949613094 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55211 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:31.571144104 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:31.671509981 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55213 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:34.077796936 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:34.180687904 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55216 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:34.590589046 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:34.690150023 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55216 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:35.100450039 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:35.200844049 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55217 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:42.077056885 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:42.176987886 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55224 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:45.289228916 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:45.389066935 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55227 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:45.586446047 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:45.686412096 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55227 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:45.879445076 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:45.992819071 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55227 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:46.064186096 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:46.164053917 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55228 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:02:56.013652086 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:02:56.113852978 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55238 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:03:02.620959044 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:03:02.721039057 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55244 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:03:12.729226112 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:03:16.216321945 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:03:16.316057920 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55258 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:03:26.319494009 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:03:36.325498104 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:03:43.487446070 CEST	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Oct 14, 2024 06:03:43.588236094 CEST	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sun, 13 Oct 2024 12:42:18 GMT Age: 55285 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Oct 14, 2024 06:03:53.597942114 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:04:03.607292891 CEST	6	OUT	Data Raw: 00 Data Ascii:
Oct 14, 2024 06:04:13.616436958 CEST	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:02:06
Start date:	14/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xc50000
File size:	919'552 bytes
MD5 hash:	6F9619FA7CF95762CC014F84B308C135
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:02:06
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x5b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:06
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x5b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x5b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x5b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:02:09
Start date:	14/10/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x5b0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:02:10
Start date:	14/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:02:10
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:02:10
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:02:11
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	00:02:13
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2168 -parentBuildID 20230927232528 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6efb8e24-567d-4fe6-86ee-59a725f1c88d} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc7146e310 socket
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	00:02:16
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3768 -parentBuildID 20230927232528 -prefsHandle 2972 -prefMapHandle 1404 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d7b3dce-133c-439f-9923-f863713a0353} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc82924e10 rdd
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	00:02:17
Start date:	14/10/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5088 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5028 -prefMapHandle 5064 -prefsLen 31270 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c982563-852c-4314-abb2-ed591bccd091} 1352 "\\.\pipe\gecko-crash-server-pipe.1352" 2bc71473110 utility
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	1570
Total number of Limit Nodes:	53

Executed Functions

Function 00C542DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C5430D

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

GetCurrentProcess.KERNEL32(?,00CECB64,00000000,?,?), ref: 00C54422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C54429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C54454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C54466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C54474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C5447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C544A0

Strings

|O, xrefs: 00C936F8
kernel32.dll, xrefs: 00C5444F
GetNativeSystemInfo, xrefs: 00C54460

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 43a7941f1241ef8aade2db9482373a710aebe48a1d279b650e018fdffb8499fc
Instruction ID: 632b3aa9470ad00ba870f15dec7d28f07c0b962da4e64d93476869117e1ee997
Opcode Fuzzy Hash: 43a7941f1241ef8aade2db9482373a710aebe48a1d279b650e018fdffb8499fc
Instruction Fuzzy Hash: 3BA1B27E90A3C0CFCB35C7697C842997FA66B76304B04D899E451D7B22D321468BDB35

Function 00C542A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C550AA,?,?,00000000,00000000), ref: 00C542B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C550AA,?,?,00000000,00000000), ref: 00C542C9
LoadResource.KERNEL32(?,00000000,?,?,00C550AA,?,?,00000000,00000000,?,?,?,?,?,?,00C54F20), ref: 00C935BE
SizeofResource.KERNEL32(?,00000000,?,?,00C550AA,?,?,00000000,00000000,?,?,?,?,?,?,00C54F20), ref: 00C935D3
LockResource.KERNEL32(00C550AA,?,?,00C550AA,?,?,00000000,00000000,?,?,?,?,?,?,00C54F20,?), ref: 00C935E6

Strings

SCRIPT, xrefs: 00C542BF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: dcc3f22a3a75c9b8dc675eb921f7513d07782be95540eb687c047bb4a703d4a9
Instruction ID: 1681152e329eb0047e2483e38027915167ca0be776250a4e27de769fc3b3d73a
Opcode Fuzzy Hash: dcc3f22a3a75c9b8dc675eb921f7513d07782be95540eb687c047bb4a703d4a9
Instruction Fuzzy Hash: A011CE74200341BFDB258B65DC88F2B7BB9EBC5B56F104169F913CA290DB71DC868620

Function 00C92BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C52B6B

Part of subcall function 00C53A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D21418,?,00C52E7F,?,?,?,00000000), ref: 00C53A78

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00D12224), ref: 00C92C10
ShellExecuteW.SHELL32(00000000,?,?,00D12224), ref: 00C92C17

Strings

runas, xrefs: 00C92C0B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 73711b41686893f021a6092e9701ce64a56956978c64d34af9fb0c92bcd9bd6e
Instruction ID: 717a520f9bdf7aea261d4550a420e1f7bcb3d2e5516e926f85570b96e9166b8d
Opcode Fuzzy Hash: 73711b41686893f021a6092e9701ce64a56956978c64d34af9fb0c92bcd9bd6e
Instruction Fuzzy Hash: 8811D539208385ABC714FF60E891ABD77E49FE1342F44442DF896460A3DF2086CEA726

Function 00CBD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CBD501
Process32FirstW.KERNEL32(00000000,?), ref: 00CBD50F
Process32NextW.KERNEL32(00000000,?), ref: 00CBD52F
CloseHandle.KERNELBASE(00000000), ref: 00CBD5DC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 0f71fc7128bbf0f4134a5bdd383b39a97b3a9374395ac4ac613a712a1dc12bb4
Instruction ID: 11038ff8afbc0e6d651532703b445043764317a26f98d0ee5a063c324d35818d
Opcode Fuzzy Hash: 0f71fc7128bbf0f4134a5bdd383b39a97b3a9374395ac4ac613a712a1dc12bb4
Instruction Fuzzy Hash: E331A7711083409FD310EF54C881BAFBBF8EF99354F14092DF592871A2EB719A89DB92

Function 00CBDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00C95222), ref: 00CBDBCE
GetFileAttributesW.KERNELBASE(?), ref: 00CBDBDD
FindFirstFileW.KERNEL32(?,?), ref: 00CBDBEE
FindClose.KERNEL32(00000000), ref: 00CBDBFA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 9cffd9522e2c519acd8efc295ebe3a0867a9ec5cc2494d38a6377ccb677661b2
Instruction ID: 0f68bb54ded1c4cb5864d6ef5c54e5a1a738895a89dc5a0d6310720c9b0f878b
Opcode Fuzzy Hash: 9cffd9522e2c519acd8efc295ebe3a0867a9ec5cc2494d38a6377ccb677661b2
Instruction Fuzzy Hash: ADF0A0308109105783206B78AC8EAAE3B6C9E01334F104702F936C20F0FBB05E568695

Function 00C74CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C828E9,?,00C74CBE,00C828E9,00D188B8,0000000C,00C74E15,00C828E9,00000002,00000000,?,00C828E9), ref: 00C74D09
TerminateProcess.KERNEL32(00000000,?,00C74CBE,00C828E9,00D188B8,0000000C,00C74E15,00C828E9,00000002,00000000,?,00C828E9), ref: 00C74D10
ExitProcess.KERNEL32 ref: 00C74D22

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 83ff33b678d5272d2d8fd3d7c48835b79c57356fe4df0e70e46cc5d5b82f6512
Instruction ID: ff2a89cfc5e1b89ef0bd6ab98d9b91e0fb3341fffaddb44def93ad107e5f5445
Opcode Fuzzy Hash: 83ff33b678d5272d2d8fd3d7c48835b79c57356fe4df0e70e46cc5d5b82f6512
Instruction Fuzzy Hash: 31E0B631000188EFCF25AF54DD99B9C3B69FB51795B118014FC699A132DB35EE52DB80

Function 00CDAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00CDB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CDB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CDB1D4
_wcslen.LIBCMT ref: 00CDB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CDB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CDB236
_wcslen.LIBCMT ref: 00CDB332

Part of subcall function 00CC05A7: GetStdHandle.KERNEL32(000000F6), ref: 00CC05C6

_wcslen.LIBCMT ref: 00CDB34B
_wcslen.LIBCMT ref: 00CDB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CDB3B6
GetLastError.KERNEL32(00000000), ref: 00CDB407
CloseHandle.KERNEL32(?), ref: 00CDB439
CloseHandle.KERNEL32(00000000), ref: 00CDB44A
CloseHandle.KERNEL32(00000000), ref: 00CDB45C
CloseHandle.KERNEL32(00000000), ref: 00CDB46E
CloseHandle.KERNEL32(?), ref: 00CDB4E3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 0ddccf5537a7650bc3cfe663c9effbb6bc7672704b09c9590d34646339c0dee2
Instruction ID: b05cff2d47941c97052dda205c05b38fe286ef9ba57371cbd05404281c54afc1
Opcode Fuzzy Hash: 0ddccf5537a7650bc3cfe663c9effbb6bc7672704b09c9590d34646339c0dee2
Instruction Fuzzy Hash: 03F18631608240DFC724EF24C881B6ABBE4AF85314F19855EF9998B3A2DB31ED45DB52

Function 00C5D731 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C5D807
timeGetTime.WINMM ref: 00C5DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C5DB28
TranslateMessage.USER32(?), ref: 00C5DB7B
DispatchMessageW.USER32(?), ref: 00C5DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C5DB9F
Sleep.KERNELBASE(0000000A), ref: 00C5DBB1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 047532c056fbafa62f2f4ac8c030edab9fc2ccf0419a9ed37c87d5dacf2fe48e
Instruction ID: 1101cab589b023471efec56192447a2c7aebae04e2a2a31a7b443992e8ab5b4e
Opcode Fuzzy Hash: 047532c056fbafa62f2f4ac8c030edab9fc2ccf0419a9ed37c87d5dacf2fe48e
Instruction Fuzzy Hash: F2422234608342EFD738CF24C884BAAB7E1FF46309F14851DE86687291D770E989DB96

Function 00C52CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C52D07
RegisterClassExW.USER32(00000030), ref: 00C52D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C52D42
InitCommonControlsEx.COMCTL32(?), ref: 00C52D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C52D6F
LoadIconW.USER32(000000A9), ref: 00C52D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C52D94

Strings

TaskbarCreated, xrefs: 00C52D37
0, xrefs: 00C52CE9
AutoIt v3 GUI, xrefs: 00C52D23
+, xrefs: 00C52CF0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: f02b3c0aaf97e4100ea611bae7171a700b476e041df38a69d78a0b6c1a1a15d1
Instruction ID: 690cfdd68b49ba9fd0626020641eeb939b00e866c03124229b1fb063b65cee3b
Opcode Fuzzy Hash: f02b3c0aaf97e4100ea611bae7171a700b476e041df38a69d78a0b6c1a1a15d1
Instruction Fuzzy Hash: 8F21C8B9901359AFDB10DF94E889BDD7BB4FB18700F00811AF521EA390D7B55585CF61

Function 00C9065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C9039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C90704,?,?,00000000,?,00C90704,00000000,0000000C), ref: 00C903B7

GetLastError.KERNEL32 ref: 00C9076F
__dosmaperr.LIBCMT ref: 00C90776
GetFileType.KERNELBASE(00000000), ref: 00C90782
GetLastError.KERNEL32 ref: 00C9078C
__dosmaperr.LIBCMT ref: 00C90795
CloseHandle.KERNEL32(00000000), ref: 00C907B5
CloseHandle.KERNEL32(?), ref: 00C908FF
GetLastError.KERNEL32 ref: 00C90931
__dosmaperr.LIBCMT ref: 00C90938

Strings

H, xrefs: 00C908BD

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a06d25c79ae2699e803f4db28fd791820d7943d10e6747a91e2c66eda1f3a619
Instruction ID: 0846322297bd8153c46ad5565dcb7c91c0ca9ba3913416d12a41af560e3ce85a
Opcode Fuzzy Hash: a06d25c79ae2699e803f4db28fd791820d7943d10e6747a91e2c66eda1f3a619
Instruction Fuzzy Hash: 83A10632A041448FDF19AF68D895BAE7BA1AB06320F24415DF825DF3E2DB319D13DB91

Function 00C5344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C53A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00D21418,?,00C52E7F,?,?,?,00000000), ref: 00C53A78

Part of subcall function 00C53357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C53379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C5356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C9318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C931CE
RegCloseKey.ADVAPI32(?), ref: 00C93210
_wcslen.LIBCMT ref: 00C93277
_wcslen.LIBCMT ref: 00C93286

Strings

\Include\, xrefs: 00C53527
\, xrefs: 00C9328C
Software\AutoIt v3\AutoIt, xrefs: 00C53560
Include, xrefs: 00C93184, 00C931C5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 7f09bc603a005aad935689df215b082ceb288ecf7a02f4b3582af146c2e08bc2
Instruction ID: 19f7dc49ec2351985830ab8e7cd5dc9b880c27ab46b6a2657f4b00e6296892bb
Opcode Fuzzy Hash: 7f09bc603a005aad935689df215b082ceb288ecf7a02f4b3582af146c2e08bc2
Instruction Fuzzy Hash: 2471B371404341AEC724EF65DC8596BBBE8FFA4350F40042EF955C32B1EB309A8ADB66

Function 00C52B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C52B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C52B9D
LoadIconW.USER32(00000063), ref: 00C52BB3
LoadIconW.USER32(000000A4), ref: 00C52BC5
LoadIconW.USER32(000000A2), ref: 00C52BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C52BEF
RegisterClassExW.USER32(?), ref: 00C52C40

Part of subcall function 00C52CD4: GetSysColorBrush.USER32(0000000F), ref: 00C52D07
Part of subcall function 00C52CD4: RegisterClassExW.USER32(00000030), ref: 00C52D31
Part of subcall function 00C52CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C52D42
Part of subcall function 00C52CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C52D5F
Part of subcall function 00C52CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C52D6F
Part of subcall function 00C52CD4: LoadIconW.USER32(000000A9), ref: 00C52D85
Part of subcall function 00C52CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C52D94

Strings

#, xrefs: 00C52C16
0, xrefs: 00C52C0F
AutoIt v3, xrefs: 00C52C2F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 325c0e80c4b65ff9ef4a1c14c3cb0971cd0890a67b7f6c88cace8bc0e6b8407a
Instruction ID: ab6829ea9101e0675aa84c60b9267bf2d9a457bd4729e4e38df1597bfd293910
Opcode Fuzzy Hash: 325c0e80c4b65ff9ef4a1c14c3cb0971cd0890a67b7f6c88cace8bc0e6b8407a
Instruction Fuzzy Hash: 6C211D78E00354ABDB20DFA5EC95B9D7FB6FB68B50F00802AE510E67A0D7B11542DFA4

Function 00C53170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C5316A,?,?), ref: 00C531D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C5316A,?,?), ref: 00C53204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C53227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C5316A,?,?), ref: 00C53232
CreatePopupMenu.USER32 ref: 00C53246
PostQuitMessage.USER32(00000000), ref: 00C53267

Strings

TaskbarCreated, xrefs: 00C5322D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 8584ef44465e4094d2b397e64a2977d2afa495f689e1c26304d6b5395912d4bd
Instruction ID: 43ba3b8a538968444d599e0d45b952e03e4f238ef7359403848ac0d390e0e455
Opcode Fuzzy Hash: 8584ef44465e4094d2b397e64a2977d2afa495f689e1c26304d6b5395912d4bd
Instruction Fuzzy Hash: 3941593D2046C4A6DF255B789C8DB7E3A19E725382F044125FD21CA292CB709BCAA779

Function 00C51410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C51459
CoUninitialize.COMBASE ref: 00C514F8
UnregisterHotKey.USER32(?), ref: 00C516DD
DestroyWindow.USER32(?), ref: 00C924B9
FreeLibrary.KERNEL32(?), ref: 00C9251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C9254B

Strings

close all, xrefs: 00C51454

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 443934b704068cd197fa378b5993fccb0b730a350b74a6b7cc4a6ce5b65504c3
Instruction ID: 3533b19ce99b5b14dceb6d1116ef9f067fb5a97da0bd03adcb15613b2612f1c2
Opcode Fuzzy Hash: 443934b704068cd197fa378b5993fccb0b730a350b74a6b7cc4a6ce5b65504c3
Instruction Fuzzy Hash: E2D18B35701212DFCB29EF15C8D9B29F7A0BF04701F1941ADE88AAB252DB30AD56DF54

Function 00C52C63 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,InitializeCriticalSectionEx,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C52C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C52CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C51CAD,?), ref: 00C52CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C51CAD,?), ref: 00C52CCF

Strings

InitializeCriticalSectionEx, xrefs: 00C52C84
AutoIt v3, xrefs: 00C52C89, 00C52C8E, 00C52C8F
edit, xrefs: 00C52CAC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$InitializeCriticalSectionEx$edit
API String ID: 1584632944-2155800390
Opcode ID: 828344912d94aff4ecb7c98c3ff606a4dd254c3eccd09aae2c62610d1c15ad2b
Instruction ID: c243d13be6a35580392cd1a57201be977727bb6ddc8f8fb102cfc57d6a361f2b
Opcode Fuzzy Hash: 828344912d94aff4ecb7c98c3ff606a4dd254c3eccd09aae2c62610d1c15ad2b
Instruction Fuzzy Hash: 86F03A795403D47AEB305753AC88F772EBED7EAF50B01802AF900E62A0C6711842DAB0

Function 00C53B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C53B0F,SwapMouseButtons,00000004,?), ref: 00C53B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C53B0F,SwapMouseButtons,00000004,?), ref: 00C53B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C53B0F,SwapMouseButtons,00000004,?), ref: 00C53B83

Strings

Control Panel\Mouse, xrefs: 00C53B3E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f26d1a301d66dd8724b815269efb4373d47edefe75933c4b229d8f72c48ced88
Instruction ID: 0b83d313ee5391ee850ee3481ae0ac21e961e1b80b22a907bdf2cee1e312654f
Opcode Fuzzy Hash: f26d1a301d66dd8724b815269efb4373d47edefe75933c4b229d8f72c48ced88
Instruction Fuzzy Hash: 95113CBA510258FFDB20CFA5DC84EAFB7B8EF04785B104459F805D7110D2319F859764

Function 00C53923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C933A2

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C53A04

Strings

Line: , xrefs: 00C933EB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: b40160f61b4976b3a9cca54877d90edd8ab995bab5cd1975d87f21771b512b41
Instruction ID: 5f066c409cf5e493f58b601d896806d0834e00b172f5f38ea0905a037e23da6b
Opcode Fuzzy Hash: b40160f61b4976b3a9cca54877d90edd8ab995bab5cd1975d87f21771b512b41
Instruction Fuzzy Hash: CC31E375408384AAC721EB20DC45BEFB7D8AF60351F00492AF999831A1DB70978DD7DA

Function 00C6FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C70668

Part of subcall function 00C732A4: RaiseException.KERNEL32(?,?,?,00C7068A,?,00D21444,?,?,?,?,?,?,00C7068A,00C51129,00D18738,00C51129), ref: 00C73304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C70685

Strings

Unknown exception, xrefs: 00C70692

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 080bf8138d63b12ef324d55003a301ec879366f59af843957e37c7725ddc0608
Instruction ID: babd6d38fe6f2f00beaec8b5b5a29bf4257868701d0c4bb4337f03a1ea5e8f6e
Opcode Fuzzy Hash: 080bf8138d63b12ef324d55003a301ec879366f59af843957e37c7725ddc0608
Instruction Fuzzy Hash: 76F0C23490020DB7CB10FA65E896C9E7B6C6E40350B70C135BC2C96592EF71EB6AEA90

Function 00C510F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C51BF4
Part of subcall function 00C51BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C51BFC
Part of subcall function 00C51BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C51C07
Part of subcall function 00C51BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C51C12
Part of subcall function 00C51BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C51C1A
Part of subcall function 00C51BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C51C22

Part of subcall function 00C51B4A: RegisterWindowMessageW.USER32(00000004,?,00C512C4), ref: 00C51BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C5136A
OleInitialize.OLE32 ref: 00C51388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C924AB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 9a25c96dea4cb3118c5eec61a7fb0947adceb96b9b324fea3a17519c6af16dbb
Instruction ID: ac2a36c31da05f409fd362f5c6f5cfcd3e3f4e72540b77981188cb5ddab01300
Opcode Fuzzy Hash: 9a25c96dea4cb3118c5eec61a7fb0947adceb96b9b324fea3a17519c6af16dbb
Instruction Fuzzy Hash: 9871DABC8013449EC7A4EF7AA8856587AF0BBB8345354C2BAD81AC7361EB304447DF74

Function 00CBC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C53923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C53A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00CBC259
KillTimer.USER32(?,00000001,?,?), ref: 00CBC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00CBC270

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 945b6454b6d391a101b7090d4e82cc4d2e950dfa9745e3a063ad465796ddb565
Instruction ID: 93eba979e6ed5ba92b1a60de44ea16575a69abfc60b61893c4884220e0e4d8df
Opcode Fuzzy Hash: 945b6454b6d391a101b7090d4e82cc4d2e950dfa9745e3a063ad465796ddb565
Instruction Fuzzy Hash: 09319370904384AFEB32DF64C8D5BEBBBEC9B16304F00449AD5EAA7241C7745A85CB52

Function 00C886AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C885CC,?,00D18CC8,0000000C), ref: 00C88704
GetLastError.KERNEL32(?,00C885CC,?,00D18CC8,0000000C), ref: 00C8870E
__dosmaperr.LIBCMT ref: 00C88739

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: cf5959aeb9aeec03bac7c311535bea5671984d67354ed79ff9d91298cd2d0c29
Instruction ID: 04a73c9c3104a15133fe543ceb1ed6fd842d02f8393f861a5d3c1270907a4e66
Opcode Fuzzy Hash: cf5959aeb9aeec03bac7c311535bea5671984d67354ed79ff9d91298cd2d0c29
Instruction Fuzzy Hash: C2016B3264466016C2307234688577E2B594F8177CF7A0119F8348B5E3EEA09D869358

Function 00C5DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 00C5DB7B
DispatchMessageW.USER32(?), ref: 00C5DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C5DB9F
Sleep.KERNELBASE(0000000A), ref: 00C5DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00CA1CC9

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 0065f157f57ba7139e52bc675a1f9c87b5b7547520729dfbbb2126c5ff3dd984
Instruction ID: 4c9f0bf806c68535a8cb076804d362cb7aed97590f89f190978dd73633c2405e
Opcode Fuzzy Hash: 0065f157f57ba7139e52bc675a1f9c87b5b7547520729dfbbb2126c5ff3dd984
Instruction Fuzzy Hash: 85F05E346043819BE730CBA0CCC9FAA73A9EB55315F104629EA1AC70C0DB3495899B25

Function 00C61310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C617F6

Strings

CALL, xrefs: 00C617C6

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 21a467c76afd67c0a9c89ec620cca323e599783b9d6dd4521f1754cc7975faf1
Instruction ID: 2b97e78bbe79380d5127c74b5b7d38db733619c8ec6d2617bf749905878fb9be
Opcode Fuzzy Hash: 21a467c76afd67c0a9c89ec620cca323e599783b9d6dd4521f1754cc7975faf1
Instruction Fuzzy Hash: EA228A746083419FC724DF15C480A2ABBF1BF89315F2C895DF8968B3A2D731E946DB92

Function 00C52DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C92C8C

Part of subcall function 00C53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C53A97,?,?,00C52E7F,?,?,?,00000000), ref: 00C53AC2

Part of subcall function 00C52DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C52DC4

Strings

X, xrefs: 00C92C5A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 3ef5a68f5fecf980906e83d17a5bcc39b68a03d49f39c580734825f21b3bda58
Instruction ID: 6de92d5b1a6483cc660a68786529291b157ec2beecec916e859755a789f7ee6b
Opcode Fuzzy Hash: 3ef5a68f5fecf980906e83d17a5bcc39b68a03d49f39c580734825f21b3bda58
Instruction Fuzzy Hash: 4921C675A00298AFDF01DF94C8457EE7BF89F49305F008059E805A7341DBB496CDDB65

Function 00C53837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C53908

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 572c1bdff03d8c180601bbd0506c98b384d252187a18c273380df9d4eaf5a37e
Instruction ID: f1584effb6cae994bd92fb313095ce5ed2cbec2232acc2ff55a59f94a6b117de
Opcode Fuzzy Hash: 572c1bdff03d8c180601bbd0506c98b384d252187a18c273380df9d4eaf5a37e
Instruction Fuzzy Hash: AB31C3745043408FD721DF24D884797BBE8FB59349F00092EF9A9C7390E771AA88CB56

Function 00C6F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C6F661

Part of subcall function 00C5D731: GetInputState.USER32 ref: 00C5D807

Sleep.KERNEL32(00000000), ref: 00CAF2DE

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 8d65eff30d6b71ab6f681c8ad2aad450331690ec9cd56c6b2bd663c9b0a8c4f6
Instruction ID: 0f79414ed0774774f8df77b8efba6ae22b286f549138e9472cbc01d0a6b3e5f8
Opcode Fuzzy Hash: 8d65eff30d6b71ab6f681c8ad2aad450331690ec9cd56c6b2bd663c9b0a8c4f6
Instruction Fuzzy Hash: 09F08C352403069FD314EF79D489B6ABBE8EF4A761F000029F85ACB260EB70AC45CB94

Function 00C54ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C54E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C54EDD,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54E9C
Part of subcall function 00C54E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C54EAE
Part of subcall function 00C54E90: FreeLibrary.KERNEL32(00000000,?,?,00C54EDD,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54EFD

Part of subcall function 00C54E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C93CDE,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54E62
Part of subcall function 00C54E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C54E74
Part of subcall function 00C54E59: FreeLibrary.KERNEL32(00000000,?,?,00C93CDE,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54E87

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3354189c1411566ab736cd129d2fb04246b00c48a60995c26d5bf29d351b6e8c
Instruction ID: ff662940136d623befa0e530f310052d3c1906db52b2d2544b9f5428e7885543
Opcode Fuzzy Hash: 3354189c1411566ab736cd129d2fb04246b00c48a60995c26d5bf29d351b6e8c
Instruction Fuzzy Hash: F7112B36600305ABCF18AB64DC43FAD77A59F40716F10442DF942A61C1DF709AC9A754

Function 00C88402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C88440

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f07b3369deffaab1fcf8c0bd3ace3ca6c399927cf13b78c5d2dc85f180411686
Instruction ID: ffdcb2e6e5bd84c79ae6dfbc5240aa739e1bfcee217ba05a3435a4c93307df16
Opcode Fuzzy Hash: f07b3369deffaab1fcf8c0bd3ace3ca6c399927cf13b78c5d2dc85f180411686
Instruction Fuzzy Hash: A411487290420AAFCF15DF58E94099E7BF4EF48304F104099FC08AB312DB30DA15CBA8

Function 00C85000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C84C7D: RtlAllocateHeap.NTDLL(00000008,00C51129,00000000,?,00C82E29,00000001,00000364,?,?,?,00C7F2DE,00C83863,00D21444,?,00C6FDF5,?), ref: 00C84CBE

_free.LIBCMT ref: 00C8506C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 88886edc6c05df15cb95be891dd2ab2c723fd48ac5720262900f44482c6a68be
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: CC0149722047056BE3319F69D885A9AFBECFB89374F25051DE194832C0EB70AD05C7B8

Function 00C7E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 7a8834c82753b54f7bab98cbbecdcbb9c4c3f983db077ae2aa8b2a139007302e
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: D7F02833510A18E6C7313A7ACC09B9A339C9F56338F118759F829931D2DF74D906A7A9

Function 00C84C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00C51129,00000000,?,00C82E29,00000001,00000364,?,?,?,00C7F2DE,00C83863,00D21444,?,00C6FDF5,?), ref: 00C84CBE

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: de2cf2d632a3993913855a6ecf004195cd3ac5c724294a82919a9062a520e649
Instruction ID: a7eb79d3ae459cc3ce188a75ab7834a7c569584d8e41bff88da88c42317e9a92
Opcode Fuzzy Hash: de2cf2d632a3993913855a6ecf004195cd3ac5c724294a82919a9062a520e649
Instruction Fuzzy Hash: 7AF0593130232277DB287F669C05B5A778CBF413B8B158125F829EA280CB30D90153E8

Function 00C83820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00D21444,?,00C6FDF5,?,?,00C5A976,00000010,00D21440,00C513FC,?,00C513C6,?,00C51129), ref: 00C83852

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69b992d2fef7bc77f36db168e44b6e84bc42d7c08830690fe7709e5f187ede5e
Instruction ID: 3954643291bfe5338ccdfd206285c109b2511449ad8d22ea87cd04931fb5160a
Opcode Fuzzy Hash: 69b992d2fef7bc77f36db168e44b6e84bc42d7c08830690fe7709e5f187ede5e
Instruction Fuzzy Hash: 0AE0E5312012A457D73137679C06B9B3749AB42FB8F155026BC28A65C1DB20DF0293F8

Function 00C54F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54F6D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f51d5959bae61da81b167795e3177becdbda6f79b10384afe1f495e5e6fd267b
Instruction ID: 30072abf809482f649462d9b99ea4ad0d5168972a8c97a858326ece0b35ef38a
Opcode Fuzzy Hash: f51d5959bae61da81b167795e3177becdbda6f79b10384afe1f495e5e6fd267b
Instruction Fuzzy Hash: 46F0A075005341CFCB388FA9D490856B7F0AF0431E3208A7EE5EA82511C73198C8DF14

Function 00CE2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CE2A66

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 4518d6d8d9fd0872e46191dd89e6d32219febbcd2c222e1c653dfa9401bd3dbf
Instruction ID: 4db29659d8ddeb5ba1341180fed6fb9c5b87192e904619a07b35cc43d7f5385e
Opcode Fuzzy Hash: 4518d6d8d9fd0872e46191dd89e6d32219febbcd2c222e1c653dfa9401bd3dbf
Instruction Fuzzy Hash: A6E02632740156AAC714EB32ECC0AFE734CEF50394B04043AFC26C2100DB308A81B2E0

Function 00C530F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C5314E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b82ff795aa2df27f4430ff1f69b023383753d1602be56f78dacb5b74e63c5b77
Instruction ID: 13e0c932094687fd7c9a5812f2b817ae39b17765e471afc3515bc6e1ae9def12
Opcode Fuzzy Hash: b82ff795aa2df27f4430ff1f69b023383753d1602be56f78dacb5b74e63c5b77
Instruction Fuzzy Hash: D3F0A7749003489FE762DB24DC457DA7BBCA711708F0040E5A548D6292D7704789CF55

Function 00C52DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C52DC4

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: dd13da56d7a36bc7bd6c5503f8be72ac1152915815e1d30cee275b633b9c2074
Instruction ID: 557d8a8f1c8218bc1ab6dc79ad4a2e6f81fbc4080db2e786010b1c30f4e66e85
Opcode Fuzzy Hash: dd13da56d7a36bc7bd6c5503f8be72ac1152915815e1d30cee275b633b9c2074
Instruction Fuzzy Hash: 61E0CD766001245BCB10D6989C46FEA77DDDFC8790F040071FD09D7248D970ED849550

Function 00C52B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C53837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C53908

Part of subcall function 00C5D731: GetInputState.USER32 ref: 00C5D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C52B6B

Part of subcall function 00C530F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C5314E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 296d2915500940de486d54afdea99a57a6e8bfc68ce473083b8c1eebff3d2d1d
Instruction ID: 5269ae8429b8f9cff1dad221df7cfee2ce14caeffd362ba5d5b5c6c40bb71995
Opcode Fuzzy Hash: 296d2915500940de486d54afdea99a57a6e8bfc68ce473083b8c1eebff3d2d1d
Instruction Fuzzy Hash: CAE0262A30038403C608BB30A8525ADA7598BE1393F40043EF847872A3CE2046CE9229

Function 00C9039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C90704,?,?,00000000,?,00C90704,00000000,0000000C), ref: 00C903B7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e43d2e5be1dc5fcaf2080110817d1e3b7394332e2d68829a0e59d8215bf6db10
Instruction ID: fd2dfafe59c36e7ab9f8a00fc578b1f05c14984bc141ed181e8687cc2b9d60c6
Opcode Fuzzy Hash: e43d2e5be1dc5fcaf2080110817d1e3b7394332e2d68829a0e59d8215bf6db10
Instruction Fuzzy Hash: E8D06C3204014DBBDF028F84DD46EDE3FAAFB48714F014000BE1856020C732E822AB91

Function 00C51CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C51CBC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 0437de63c3701574eb1714d79a530f20fa4458d1d83977e419915f3917abbfbf
Instruction ID: 25946fd38e5466ec36a8a907bf38253913fb10387bb70d7b81dcd0408d00850d
Opcode Fuzzy Hash: 0437de63c3701574eb1714d79a530f20fa4458d1d83977e419915f3917abbfbf
Instruction Fuzzy Hash: 3CC09B35280344BFF2248780BC8BF147765A36CB00F04C001F609D96E3C3A12411E660

Non-executed Functions

Function 00CE9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CE961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CE965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CE969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CE96C9
SendMessageW.USER32 ref: 00CE96F2
GetKeyState.USER32(00000011), ref: 00CE978B
GetKeyState.USER32(00000009), ref: 00CE9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CE97AE
GetKeyState.USER32(00000010), ref: 00CE97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CE97E9
SendMessageW.USER32 ref: 00CE9810
SendMessageW.USER32(?,00001030,?,00CE7E95), ref: 00CE9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CE992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CE9941
SetCapture.USER32(?), ref: 00CE994A
ClientToScreen.USER32(?,?), ref: 00CE99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CE99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CE99D6
ReleaseCapture.USER32 ref: 00CE99E1
GetCursorPos.USER32(?), ref: 00CE9A19
ScreenToClient.USER32(?,?), ref: 00CE9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CE9A80
SendMessageW.USER32 ref: 00CE9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CE9AEB
SendMessageW.USER32 ref: 00CE9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CE9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CE9B4A
GetCursorPos.USER32(?), ref: 00CE9B68
ScreenToClient.USER32(?,?), ref: 00CE9B75
GetParent.USER32(?), ref: 00CE9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CE9BFA
SendMessageW.USER32 ref: 00CE9C2B
ClientToScreen.USER32(?,?), ref: 00CE9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CE9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CE9CDE
SendMessageW.USER32 ref: 00CE9D01
ClientToScreen.USER32(?,?), ref: 00CE9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CE9D82

Part of subcall function 00C69944: GetWindowLongW.USER32(?,000000EB), ref: 00C69952

GetWindowLongW.USER32(?,000000F0), ref: 00CE9E05

Strings

@GUI_DRAGID, xrefs: 00CE997D
F, xrefs: 00CE9D07

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 37a465dc73caf65a05f80286d85226dfabcebde5ef8d5fb6467d2255c9f6c076
Instruction ID: d3c700c29eb70134dc3e6741a7060f59d98fd8446f01b7cbd0ae362e7f47c498
Opcode Fuzzy Hash: 37a465dc73caf65a05f80286d85226dfabcebde5ef8d5fb6467d2255c9f6c076
Instruction Fuzzy Hash: 83427B35204781AFD720CF26CC84BAABBF9FF49310F10461AFA69872A1D731AD55DB51

Function 00CE4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CE48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CE4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CE4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CE494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CE495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CE497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CE49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CE49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CE4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CE4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CE4A7E
IsMenu.USER32(?), ref: 00CE4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CE4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CE4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CE4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CE4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CE4C82
wsprintfW.USER32 ref: 00CE4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CE4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CE4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CE4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CE4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CE4D5A

Strings

%d/%02d/%02d, xrefs: 00CE4CA8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 05b219d6f5066299188868cc66c2540da5386ce6babb64844bb080883435dc3c
Instruction ID: 1fec0b7c331f07175f1c83833469dae2d9edec4d993245b106cc1c19e74ff7b3
Opcode Fuzzy Hash: 05b219d6f5066299188868cc66c2540da5386ce6babb64844bb080883435dc3c
Instruction Fuzzy Hash: 9312D071900394ABEB288F66DC89FAE7BF8EF45710F104129F925EB2E1D7749A41CB50

Function 00C6F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C6F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CAF474
IsIconic.USER32(00000000), ref: 00CAF47D
ShowWindow.USER32(00000000,00000009), ref: 00CAF48A
SetForegroundWindow.USER32(00000000), ref: 00CAF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CAF4AA
GetCurrentThreadId.KERNEL32 ref: 00CAF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CAF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CAF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00CAF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CAF4DE
SetForegroundWindow.USER32(00000000), ref: 00CAF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CAF4F6
keybd_event.USER32(00000012,00000000), ref: 00CAF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CAF50B
keybd_event.USER32(00000012,00000000), ref: 00CAF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CAF519
keybd_event.USER32(00000012,00000000), ref: 00CAF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00CAF528
keybd_event.USER32(00000012,00000000), ref: 00CAF52D
SetForegroundWindow.USER32(00000000), ref: 00CAF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CAF557

Strings

Shell_TrayWnd, xrefs: 00CAF46F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 87735d26abe0ad31defe8dc2a3b37b274944927219dedc24e3564160ae555251
Instruction ID: a9159200d9bcdedfac339ab7b88494c825767b95b5b5ae52d64d97237cc05954
Opcode Fuzzy Hash: 87735d26abe0ad31defe8dc2a3b37b274944927219dedc24e3564160ae555251
Instruction Fuzzy Hash: 3A317271A40358BFEB206BF55CCAFBF7E6DEB45B50F100029FA10EA1D1C6B05D02AA60

Function 00CB1201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00CB16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CB170D
Part of subcall function 00CB16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CB173A
Part of subcall function 00CB16C3: GetLastError.KERNEL32 ref: 00CB174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00CB1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00CB12A8
CloseHandle.KERNEL32(?), ref: 00CB12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CB12D1
GetProcessWindowStation.USER32 ref: 00CB12EA
SetProcessWindowStation.USER32(00000000), ref: 00CB12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CB1310

Part of subcall function 00CB10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CB11FC), ref: 00CB10D4
Part of subcall function 00CB10BF: CloseHandle.KERNEL32(?,?,00CB11FC), ref: 00CB10E9

Strings

winsta0, xrefs: 00CB12CC
, xrefs: 00CB125A
default, xrefs: 00CB130B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 71f79a13da44f345f905db4abbfcb7b2b1e6f75db81a63c64169e896175e3145
Instruction ID: 9eb54096dbdc0daf23d0bf76ff31b126162b86048710d6a1c4fccce519934b6b
Opcode Fuzzy Hash: 71f79a13da44f345f905db4abbfcb7b2b1e6f75db81a63c64169e896175e3145
Instruction Fuzzy Hash: 9F818A71900249AFDF219FA4DC99FEE7BB9EF04704F184129FD20AA1A0DB358A45CF21

Function 00CB0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CB1114
Part of subcall function 00CB10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB1120
Part of subcall function 00CB10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB112F
Part of subcall function 00CB10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB1136
Part of subcall function 00CB10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CB114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CB0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CB0C00
GetLengthSid.ADVAPI32(?), ref: 00CB0C17
GetAce.ADVAPI32(?,00000000,?), ref: 00CB0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CB0C6D
GetLengthSid.ADVAPI32(?), ref: 00CB0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CB0C8C
HeapAlloc.KERNEL32(00000000), ref: 00CB0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CB0CB4
CopySid.ADVAPI32(00000000), ref: 00CB0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CB0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CB0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CB0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB0D45
HeapFree.KERNEL32(00000000), ref: 00CB0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB0D55
HeapFree.KERNEL32(00000000), ref: 00CB0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB0D65
HeapFree.KERNEL32(00000000), ref: 00CB0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CB0D78
HeapFree.KERNEL32(00000000), ref: 00CB0D7F

Part of subcall function 00CB1193: GetProcessHeap.KERNEL32(00000008,00CB0BB1,?,00000000,?,00CB0BB1,?), ref: 00CB11A1
Part of subcall function 00CB1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CB0BB1,?), ref: 00CB11A8
Part of subcall function 00CB1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CB0BB1,?), ref: 00CB11B7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 93e481c335e3197337e7d8d8c6910fa7b17792fcca2f1a1afb29117eb43a3519
Instruction ID: c3d47bfabe15c2a65cad91f24225b9de18759bffce3327289ee79eeef354a227
Opcode Fuzzy Hash: 93e481c335e3197337e7d8d8c6910fa7b17792fcca2f1a1afb29117eb43a3519
Instruction Fuzzy Hash: A9714B7290024AABDF10DFA4DC84FEFBBB9BF05310F144519F925AB1A1D775AA06CB60

Function 00CCEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CECC08), ref: 00CCEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00CCEB37
GetClipboardData.USER32(0000000D), ref: 00CCEB43
CloseClipboard.USER32 ref: 00CCEB4F
GlobalLock.KERNEL32(00000000), ref: 00CCEB87
CloseClipboard.USER32 ref: 00CCEB91
GlobalUnlock.KERNEL32(00000000), ref: 00CCEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00CCEBC9
GetClipboardData.USER32(00000001), ref: 00CCEBD1
GlobalLock.KERNEL32(00000000), ref: 00CCEBE2
GlobalUnlock.KERNEL32(00000000), ref: 00CCEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00CCEC38
GetClipboardData.USER32(0000000F), ref: 00CCEC44
GlobalLock.KERNEL32(00000000), ref: 00CCEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CCEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CCEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CCECD2
GlobalUnlock.KERNEL32(00000000), ref: 00CCECF3
CountClipboardFormats.USER32 ref: 00CCED14
CloseClipboard.USER32 ref: 00CCED59

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 4d84c7beaa674edba3370a64725f682575539e7484b534c37fcd37c3a58dd0e6
Instruction ID: 465684dfcbaadf758ea2b1ec4c7ea9c2319ba9b990fb99a55751ab8c8d6b9686
Opcode Fuzzy Hash: 4d84c7beaa674edba3370a64725f682575539e7484b534c37fcd37c3a58dd0e6
Instruction Fuzzy Hash: A661CE342043419FD300EF24C8D5F3A7BA8AF85714F14455DF8669B2A2DB31DE4ADB62

Function 00CC698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CC69BE
FindClose.KERNEL32(00000000), ref: 00CC6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CC6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CC6A75

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00CC6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00CC6ADF

Strings

%4d, xrefs: 00CC6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00CC6B32
%02d, xrefs: 00CC6C00, 00CC6C0A, 00CC6C5A, 00CC6CAA, 00CC6CFA, 00CC6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 00CC6B6A
%03d, xrefs: 00CC6DA2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 220c9d376a336676e051a0062cb47aa027d1928793b9222f9e170eb3a895af95
Instruction ID: 4b5cd5c51614b6304559dc6495c8f4269ecbd5c7a1474daae4234492ccad03df
Opcode Fuzzy Hash: 220c9d376a336676e051a0062cb47aa027d1928793b9222f9e170eb3a895af95
Instruction Fuzzy Hash: 58D15E76508300AFC310EBA4D981EABB7E8EF88705F44491DF985C7191EB34DA89DB62

Function 00CC9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00CC9663
GetFileAttributesW.KERNEL32(?), ref: 00CC96A1
SetFileAttributesW.KERNEL32(?,?), ref: 00CC96BB
FindNextFileW.KERNEL32(00000000,?), ref: 00CC96D3
FindClose.KERNEL32(00000000), ref: 00CC96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00CC96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC974A
SetCurrentDirectoryW.KERNEL32(00D16B7C), ref: 00CC9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CC9772
FindClose.KERNEL32(00000000), ref: 00CC977F
FindClose.KERNEL32(00000000), ref: 00CC978F

Strings

*.*, xrefs: 00CC96F5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 17628500c5a14408790de99bc7e728140e1c68e63320c44a2336eba473d38302
Instruction ID: ff141faadb547c854c7808790611ced8f5c0a0fb1881cb06e43fb26ccfaa1d94
Opcode Fuzzy Hash: 17628500c5a14408790de99bc7e728140e1c68e63320c44a2336eba473d38302
Instruction Fuzzy Hash: 9331AF325412596EDB14AFB4EC8DFDE77ACEF09320F104169F925E60A0DB74DE858B24

Function 00CC979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00CC97BE
FindNextFileW.KERNEL32(00000000,?), ref: 00CC9819
FindClose.KERNEL32(00000000), ref: 00CC9824
FindFirstFileW.KERNEL32(*.*,?), ref: 00CC9840
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC9890
SetCurrentDirectoryW.KERNEL32(00D16B7C), ref: 00CC98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CC98B8
FindClose.KERNEL32(00000000), ref: 00CC98C5
FindClose.KERNEL32(00000000), ref: 00CC98D5

Part of subcall function 00CBDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CBDB00

Strings

*.*, xrefs: 00CC983B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 2518ce3b8dd9bd9602fcf03c33156b1dcb39e3bb86f1a948a7f78a914a0441df
Instruction ID: c2012a8a9f2efbede5aece943e10486a65ff6107920fa2d3909df5f89cc37b35
Opcode Fuzzy Hash: 2518ce3b8dd9bd9602fcf03c33156b1dcb39e3bb86f1a948a7f78a914a0441df
Instruction Fuzzy Hash: CE31C1325006596EDB14AFB4EC8DFDE77ACEF06320F108169E924A30E1DB71DE85CA24

Function 00CDBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDB6AE,?,?), ref: 00CDC9B5
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDC9F1
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA68
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CDBFA9
RegCloseKey.ADVAPI32(00000000), ref: 00CDBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CDC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CDC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CDC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CDC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CDC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CDC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CDC382
RegCloseKey.ADVAPI32(00000000), ref: 00CDC38F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: b0c08eb87acd4fcccd829e1f3dfb11a8a45a20a02a84a607bcfb819e68dd8684
Instruction ID: f7018d7b22bf2188c57a0bcb66be45bc45d911809efd39edfe8d5e25a4733519
Opcode Fuzzy Hash: b0c08eb87acd4fcccd829e1f3dfb11a8a45a20a02a84a607bcfb819e68dd8684
Instruction Fuzzy Hash: B4026A756042019FC714DF28C8D0E2ABBE5EF89308F18849DF95A8B3A2DB31ED46CB51

Function 00CC8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CC8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00CC8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CC8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CC8310
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8324
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CC838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8395

Strings

*.*, xrefs: 00CC839B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 7ae7cc1b23724912888f9346a3c04ccff07d48ec0095a688c5e645bfaf862de8
Instruction ID: 2df275c1729d58a717a5a9a557a93ddaf004ed454021b22fda61cbe5d321f6be
Opcode Fuzzy Hash: 7ae7cc1b23724912888f9346a3c04ccff07d48ec0095a688c5e645bfaf862de8
Instruction Fuzzy Hash: CB6149765043459FC710EF64C884EAFB3E8FF89310F04891EE99987251EB31E949CB92

Function 00CBD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C53A97,?,?,00C52E7F,?,?,?,00000000), ref: 00C53AC2

Part of subcall function 00CBE199: GetFileAttributesW.KERNEL32(?,00CBCF95), ref: 00CBE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CBD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CBD1DD
MoveFileW.KERNEL32(?,?), ref: 00CBD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CBD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CBD237

Part of subcall function 00CBD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00CBD21C,?,?), ref: 00CBD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00CBD253
FindClose.KERNEL32(00000000), ref: 00CBD264

Strings

\*.*, xrefs: 00CBD0CD, 00CBD0D6, 00CBD0EB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0c20f4ab85122987091bfb24eb74d8a17774787299e6f0825b5f83ae297a1c7c
Instruction ID: 86225bf18f6a7c359edb48cdaf042e1256f785f3ea65ada360095d53f848f296
Opcode Fuzzy Hash: 0c20f4ab85122987091bfb24eb74d8a17774787299e6f0825b5f83ae297a1c7c
Instruction Fuzzy Hash: F0617E35C0114DABCF05EBE0DA929EDB7B5AF55301F204165E812771A2EB30AF4DEB61

Function 00CCED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00CCED91
EmptyClipboard.USER32 ref: 00CCED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00CCEDAC
CloseClipboard.USER32 ref: 00CCEEA3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 664f2e675de8fb7073c86d5020cbe7853179b0019c34072cf3c685a9f3efaa0a
Instruction ID: b20708d4a09bc01de5dbe36a90c2f7ed9fac019a753ff6593559de2dc04a7bbe
Opcode Fuzzy Hash: 664f2e675de8fb7073c86d5020cbe7853179b0019c34072cf3c685a9f3efaa0a
Instruction Fuzzy Hash: 4C41CD35204651AFE720DF15D889F1ABBE5EF45358F14C09DE8268F662C735ED82CB90

Function 00CBE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CB170D
Part of subcall function 00CB16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CB173A
Part of subcall function 00CB16C3: GetLastError.KERNEL32 ref: 00CB174A

ExitWindowsEx.USER32(?,00000000), ref: 00CBE932

Strings

, xrefs: 00CBE920
SeShutdownPrivilege, xrefs: 00CBE902
@, xrefs: 00CBE925
, xrefs: 00CBE95C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: cbcb27c104b572d9dfd1e155012f1335f9c947f5034906c0ed37030f70cb4c45
Instruction ID: 0327cf99928dadca964ea9799ac492b7424cee52dbec19854effc98ab793232f
Opcode Fuzzy Hash: cbcb27c104b572d9dfd1e155012f1335f9c947f5034906c0ed37030f70cb4c45
Instruction Fuzzy Hash: 0D01F973E10311AFEB5827B5ACC6FFF729C9714B50F190422FD23E61D1D9A05D4892A0

Function 00CD1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CD1276
WSAGetLastError.WSOCK32 ref: 00CD1283
bind.WSOCK32(00000000,?,00000010), ref: 00CD12BA
WSAGetLastError.WSOCK32 ref: 00CD12C5
closesocket.WSOCK32(00000000), ref: 00CD12F4
listen.WSOCK32(00000000,00000005), ref: 00CD1303
WSAGetLastError.WSOCK32 ref: 00CD130D
closesocket.WSOCK32(00000000), ref: 00CD133C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 0a7cde513e686679a8149925962e54252ec0b30fdcdddae76f34b80f5c1995ce
Instruction ID: b5aba555c722956d3a027d62384aa314444aa2c263c723e0dd8831d4a9a530cc
Opcode Fuzzy Hash: 0a7cde513e686679a8149925962e54252ec0b30fdcdddae76f34b80f5c1995ce
Instruction Fuzzy Hash: 77418135600240AFD714DF64C5C4B29BBE5AF46314F188189ED568F3D2C771ED86CBA1

Function 00C8B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8B9D4
_free.LIBCMT ref: 00C8B9F8
_free.LIBCMT ref: 00C8BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CF3700), ref: 00C8BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C8BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D21270,000000FF,?,0000003F,00000000,?), ref: 00C8BC36
_free.LIBCMT ref: 00C8BD4B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e73449612cdcea9518baf52e2995be421d06da5e9cbcc3aa1c25414f62219cc
Instruction ID: e030f5e1475ade395803136be60fe96054d1eb94d4a3cddfd28ebae0669ecdf1
Opcode Fuzzy Hash: 8e73449612cdcea9518baf52e2995be421d06da5e9cbcc3aa1c25414f62219cc
Instruction Fuzzy Hash: ACC12875904205AFCB24BF698C41BBEBBB8EF51318F1441AAE4A4D7251EB309F42E758

Function 00CBD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C53A97,?,?,00C52E7F,?,?,?,00000000), ref: 00C53AC2

Part of subcall function 00CBE199: GetFileAttributesW.KERNEL32(?,00CBCF95), ref: 00CBE19A

FindFirstFileW.KERNEL32(?,?), ref: 00CBD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00CBD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00CBD481
FindClose.KERNEL32(00000000), ref: 00CBD498
FindClose.KERNEL32(00000000), ref: 00CBD4A1

Strings

\*.*, xrefs: 00CBD3F2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: c43cf6b5f46e6f202fbbf6bd317bac3fe53bcc0d5681b5297e4f98e95ce3d1c5
Instruction ID: a77f2a2ce544e7f49ec25358ba017626513ed9b5460670e436aeb604dad958b9
Opcode Fuzzy Hash: c43cf6b5f46e6f202fbbf6bd317bac3fe53bcc0d5681b5297e4f98e95ce3d1c5
Instruction Fuzzy Hash: 32316F350083859BC300EF64D8929EF77E8AE91311F444E6DF8D2531A1EB30AA4D9B66

Function 00C8E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C8E645

Strings

1#INF, xrefs: 00C8F852
1#IND, xrefs: 00C8F83D
1#SNAN, xrefs: 00C8F844
1#QNAN, xrefs: 00C8F84B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2f99e615d79abd4bf95aa03fc2fc6f99587f7279f1f1ecdd22665693943f57be
Instruction ID: 14b2d0059928c5959fc0000fe32f1b77010e37861e62fdb6933309e52604653a
Opcode Fuzzy Hash: 2f99e615d79abd4bf95aa03fc2fc6f99587f7279f1f1ecdd22665693943f57be
Instruction Fuzzy Hash: 3CC25D71E086288FDB25EF28DD407EAB7B5EB44309F1541EAD85DE7240E774AE828F44

Function 00CC648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CC64DC
CoInitialize.OLE32(00000000), ref: 00CC6639
CoCreateInstance.OLE32(00CEFCF8,00000000,00000001,00CEFB68,?), ref: 00CC6650
CoUninitialize.OLE32 ref: 00CC68D4

Strings

.lnk, xrefs: 00CC64BA, 00CC6524, 00CC65E0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 2caf4fa3c0c09f034c7b4b41ad6683dd80c1791186b10ff9bd353225d75dd50d
Instruction ID: 7c76fb55e9880c0ebe1f1c9b254231efc3ea830a0607160b2cf113d2207315d6
Opcode Fuzzy Hash: 2caf4fa3c0c09f034c7b4b41ad6683dd80c1791186b10ff9bd353225d75dd50d
Instruction Fuzzy Hash: 35D15975508301AFC304EF24C981E6BB7E8FF94705F50496DF5958B2A1EB30EA49CB92

Function 00CD22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00CD22E8

Part of subcall function 00CCE4EC: GetWindowRect.USER32(?,?), ref: 00CCE504

GetDesktopWindow.USER32 ref: 00CD2312
GetWindowRect.USER32(00000000), ref: 00CD2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CD2355
GetCursorPos.USER32(?), ref: 00CD2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CD23DF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ef88bbb79d5f5aa5e93a4388b9aff16d2d08ab2b14ee304dbc84c1c2a75564d6
Instruction ID: d3418e965995ea17dfd313baa564c1ff428e7bf68e73f915a35cd82050bb4dd5
Opcode Fuzzy Hash: ef88bbb79d5f5aa5e93a4388b9aff16d2d08ab2b14ee304dbc84c1c2a75564d6
Instruction Fuzzy Hash: AB310272505355AFC720DF14C888F9BB7ADFF94710F00091AF9949B291DB34EA09CB92

Function 00CC9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CC9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CC9C8B

Part of subcall function 00CC3874: GetInputState.USER32 ref: 00CC38CB
Part of subcall function 00CC3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CC9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CC9C75

Strings

*.*, xrefs: 00CC9B5D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 36ed921dd0b2162de1fe9a536a0c85017bb3d3cce710c2d06de52e9f7aee9309
Instruction ID: 77e1874822a9788e3272d0fbe7bf79ff38666cdab6f31dd3e866ae8f42c8080b
Opcode Fuzzy Hash: 36ed921dd0b2162de1fe9a536a0c85017bb3d3cce710c2d06de52e9f7aee9309
Instruction Fuzzy Hash: 9F41907190424AAFCF14DF64C889FEEBBB8EF15301F20405AE815A2191EB319F89DF64

Function 00C6997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C69A4E
GetSysColor.USER32(0000000F), ref: 00C69B23
SetBkColor.GDI32(?,00000000), ref: 00C69B36

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: ff7ea3ee83a81936b04b36e2bbdafa885497359a5a6ba6d95356e38ed05ad265
Instruction ID: 2ad42e3653c1d23a2f92ea9f5b636e223624f6adec2fed38bf85a81ce7ef7912
Opcode Fuzzy Hash: ff7ea3ee83a81936b04b36e2bbdafa885497359a5a6ba6d95356e38ed05ad265
Instruction Fuzzy Hash: 8FA13970108545BEE7399A7E8CD8E7F36DDEB83304B14421AF122C66A2CA359F02E671

Function 00CD1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CD307A
Part of subcall function 00CD304E: _wcslen.LIBCMT ref: 00CD309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CD185D
WSAGetLastError.WSOCK32 ref: 00CD1884
bind.WSOCK32(00000000,?,00000010), ref: 00CD18DB
WSAGetLastError.WSOCK32 ref: 00CD18E6
closesocket.WSOCK32(00000000), ref: 00CD1915

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 79cca3f0a7723b2d0ea8ef0bf7ddb894726699cca2b298f4286ea58531359a51
Instruction ID: 50eefaed5e3bf4f0c8482949a788055560d9517bd39d92e49635f21eff2f4ac9
Opcode Fuzzy Hash: 79cca3f0a7723b2d0ea8ef0bf7ddb894726699cca2b298f4286ea58531359a51
Instruction Fuzzy Hash: D951A175A00200AFDB20EF24C8C6F2A77E5AB44718F588159FE156F3D3D771AD819BA1

Function 00CE1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CE1CC0
IsWindowEnabled.USER32 ref: 00CE1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CE1CDB
IsIconic.USER32 ref: 00CE1CE9
IsZoomed.USER32 ref: 00CE1CF7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a87d4e3cb66f7de026dca90eb6b1985070429d2f87af15ebb736c32bebcb476c
Instruction ID: 0821be225c4bcb4935d5ef72575d7305c080e2202f29133da1640dd39cc7e34b
Opcode Fuzzy Hash: a87d4e3cb66f7de026dca90eb6b1985070429d2f87af15ebb736c32bebcb476c
Instruction Fuzzy Hash: 1621A3317402905FD7218F2BC884B6A7BE5EF85315B2D8068EC56CB351C771ED42CB90

Function 00C58060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 00C5813C
VUUU, xrefs: 00C95DF0
VUUU, xrefs: 00C5843C
VUUU, xrefs: 00C583E8
VUUU, xrefs: 00C583FA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 88decf4776556e2b489b49d9e856c251e12a573d7b44066361bc28cc94a21ab5
Instruction ID: 7a07cddcb535a81d464c9cededab94040b6fa647527877be3df453cd8a7c8dd6
Opcode Fuzzy Hash: 88decf4776556e2b489b49d9e856c251e12a573d7b44066361bc28cc94a21ab5
Instruction Fuzzy Hash: 1BA29074E0061ACBDF24CF59C9447AEB7B1BF54311F2481AAEC25A7285EB309EC9CB54

Function 00CBAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00CBAAAC
SetKeyboardState.USER32(00000080), ref: 00CBAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00CBAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00CBAB88

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 88e4a98866c729270fd1cf8f54671299b6a5ab4de63f5d8f2b6cb3bf3d1d1ef8
Instruction ID: d11960174633b82c1724255a9105534785aa5ff4882e3d2daf7e64954296a906
Opcode Fuzzy Hash: 88e4a98866c729270fd1cf8f54671299b6a5ab4de63f5d8f2b6cb3bf3d1d1ef8
Instruction Fuzzy Hash: 3B31F470A80248AFFF358B658C45BFE7BAAAB44310F04421AF5F1961D1D3758E85D762

Function 00CCCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00CCCE89
GetLastError.KERNEL32(?,00000000), ref: 00CCCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00CCCEFE

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 5fec1d9cfa05172a222b497233d92b190243938ef145781d73d08839a051773c
Instruction ID: 02153cf75608ef09b6616994e066856e836198570012a1fcf930c6631a1e43aa
Opcode Fuzzy Hash: 5fec1d9cfa05172a222b497233d92b190243938ef145781d73d08839a051773c
Instruction Fuzzy Hash: D921BAB1900305ABEB20DFA5C9C8FAABBFCEB11314F10841EE65AD6151E770EE458B60

Function 00CB8298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00CB82AA

Strings

|, xrefs: 00CB82DA
(, xrefs: 00CB82F0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: fa35648499ee5ba8f3fb4065b81acc8374de1854f475d00165717db17e535516
Instruction ID: e4d89ddaa55156d0ca61574a61aa5d297fd04e617b5c2ff1d1ee8c8eac0d5e1f
Opcode Fuzzy Hash: fa35648499ee5ba8f3fb4065b81acc8374de1854f475d00165717db17e535516
Instruction Fuzzy Hash: B3323774A006059FCB28CF59C481AAAB7F4FF48710F15C56EE5AADB3A1EB70E941CB50

Function 00CC5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CC5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00CC5D17
FindClose.KERNEL32(?), ref: 00CC5D5F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 020d32ef9f51a8d236c71f5a1c30d6e09f1c8d57ebe796da8212274f3bf6ba8b
Instruction ID: b6d1b3eb1691a094436d050967cd4e304ffd1bf5c72006e4d15e1fce19533ac2
Opcode Fuzzy Hash: 020d32ef9f51a8d236c71f5a1c30d6e09f1c8d57ebe796da8212274f3bf6ba8b
Instruction Fuzzy Hash: 3A514674604B019FC714DF28C494E9AB7E4FF49314F14855DE9AA8B3A2DB30F985CB91

Function 00C82622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C8271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C82724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C82731

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 0c4009c0ae3b15da1e01447281eaaf68012b898b0d2857a10a2e2bc9ac059919
Instruction ID: 9cd9835a58898cce6c011976d4ea0da2cf1e9c4b6962fb09f84a7ba0310d556c
Opcode Fuzzy Hash: 0c4009c0ae3b15da1e01447281eaaf68012b898b0d2857a10a2e2bc9ac059919
Instruction Fuzzy Hash: B231B375911318ABCB21DF69DC897DDBBB8AF08310F5081EAE81CA7261E7309F819F45

Function 00CC51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CC51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00CC5238
SetErrorMode.KERNEL32(00000000), ref: 00CC52A1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 00fc09396d4127408fb6384a224db0d5627f978762959605985ffd88dfda34f8
Instruction ID: f6260ad98985397eabc0a07e9c5d432a9223a5a72a4b29ee7ce8981efceee53d
Opcode Fuzzy Hash: 00fc09396d4127408fb6384a224db0d5627f978762959605985ffd88dfda34f8
Instruction Fuzzy Hash: D7310B75A006189FDB00DF54D8C4FADBBB4FF49314F048099E805AB392DB31E996CB50

Function 00CB16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C6FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C70668
Part of subcall function 00C6FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C70685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CB170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CB173A
GetLastError.KERNEL32 ref: 00CB174A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 92ef92f16bae2b7c36a732a65f6285860f7388fab2460d3c711d534a28336abe
Instruction ID: 39604febf1278dadcb063540901b71cc72b9846ddea4407f54d0f203a69ea205
Opcode Fuzzy Hash: 92ef92f16bae2b7c36a732a65f6285860f7388fab2460d3c711d534a28336abe
Instruction Fuzzy Hash: E61191B2414304AFD7289F54ECC6EABB7FDEB45714B24852EF46657241EB70BC428B60

Function 00CBD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CBD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00CBD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00CBD650

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 1dd855525ae286acc940301957ac0cd81fecf5b9260f1b3d8da82c82d9f2d987
Instruction ID: 90570403c7a540815fa76dd3a0c6f6ea082fc447c338515fd126bb28ef76fd55
Opcode Fuzzy Hash: 1dd855525ae286acc940301957ac0cd81fecf5b9260f1b3d8da82c82d9f2d987
Instruction Fuzzy Hash: 5D113C75E05228BBDB108F959C85FEFBFBCEB45B60F108515F914E7290D6704A058BA1

Function 00CB1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00CB168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00CB16A1
FreeSid.ADVAPI32(?), ref: 00CB16B1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0cb687fb8635c8f3220d67859044fed49ceb4c6e6094f423dd1a0c2bb77e38f6
Instruction ID: 2caa78998cc307d86d72c55d2b7fd526fc55e14d0619c0acebf006c884922206
Opcode Fuzzy Hash: 0cb687fb8635c8f3220d67859044fed49ceb4c6e6094f423dd1a0c2bb77e38f6
Instruction Fuzzy Hash: 64F0F471950309FBDB00DFE4DCC9AAEBBBCEB08604F504565E901E6181E774AA448A50

Function 00C8C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00C8C36C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: bc76638a29d61ceae1d6b95783c443a64d33f402b02483f620e545b19a5eeb98
Instruction ID: 9a677412ee4d13a9e19fa2f1bbe7d6b03c868fcf656dd09e1a73bca74b4153aa
Opcode Fuzzy Hash: bc76638a29d61ceae1d6b95783c443a64d33f402b02483f620e545b19a5eeb98
Instruction Fuzzy Hash: 0C415B76500219AFCB24AFB9DCC8EFB7778EB84318F104269F915D7190E6309E81CB64

Function 00CAD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00CAD28C

Strings

X64, xrefs: 00CAD2A8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: af410ee6fc2af489e7d7125ed803391347a320aaa6e6d2f51842cd572576028b
Instruction ID: 085b150e7ee58af7e1c880249c6220a62a59952a37ff792ac6bfdca2350bf541
Opcode Fuzzy Hash: af410ee6fc2af489e7d7125ed803391347a320aaa6e6d2f51842cd572576028b
Instruction Fuzzy Hash: 05D0C9B480111EEACB90DB90DCC8EDDB77CBB04305F100291F507A2000D73095498F10

Function 00C7CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 54a1dca4fde2c2f2ce2cc559642a7fb06c556209acc39b7cbefd475631f2d91e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E2020D72E0011A9FDF24CFA9D8C06ADBBF1EF48314F25816DD929E7384D731AA418B94

Function 00CC68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00CC6918
FindClose.KERNEL32(00000000), ref: 00CC6961

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6b276dbaa4bfa558a9bb27f1abc53a6bfd0b28ed73c6af9ae62d9717e69ea7ec
Instruction ID: 29e5a78dd2f6362675e5e265630d0f01288be90bc35874d5f87952d54c8854e6
Opcode Fuzzy Hash: 6b276dbaa4bfa558a9bb27f1abc53a6bfd0b28ed73c6af9ae62d9717e69ea7ec
Instruction Fuzzy Hash: E1117C756042009FC710DF69D8C5B1ABBE5EF89329F14C69DE8698F6A2C730EC45CB91

Function 00CC37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CD4891,?,?,00000035,?), ref: 00CC37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CD4891,?,?,00000035,?), ref: 00CC37F4

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: c139efe1619c32bb250b854f2e036bf9b087b52271183895005ac479aa6b6c7e
Instruction ID: 4c7516f605f6c67eece2352882fcbab56c5ecb74ab31eda1e81a2bc4ecb863d6
Opcode Fuzzy Hash: c139efe1619c32bb250b854f2e036bf9b087b52271183895005ac479aa6b6c7e
Instruction Fuzzy Hash: 3CF055B17003282AEB2017A69C8DFEB3AAEEFC5761F000164F908D22C0C9709904C7B0

Function 00CBB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CBB25D
keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00CBB270

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 877015a4d6d014ad806a04ef713900ac7eb308ed4e68b5258e9a330deddeb368
Instruction ID: 3b84a5c03d9929d120b46dc890edee0afdbc05ca3147f300fff7f961190e0be6
Opcode Fuzzy Hash: 877015a4d6d014ad806a04ef713900ac7eb308ed4e68b5258e9a330deddeb368
Instruction Fuzzy Hash: 62F01D7180428EABDB059FA1C846BEE7BB4FF04305F008009F965A9192C379C6119F95

Function 00CB10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CB11FC), ref: 00CB10D4
CloseHandle.KERNEL32(?,?,00CB11FC), ref: 00CB10E9

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: d141ddc628020de090b13faac0cbc9103871c29a1001a16e776e6a3391f9a8e2
Instruction ID: 223a8dc8ccf8209bfaad969a5846504841d5ac386640ffec1e160f7c18395678
Opcode Fuzzy Hash: d141ddc628020de090b13faac0cbc9103871c29a1001a16e776e6a3391f9a8e2
Instruction Fuzzy Hash: 02E04F32004600AEE7252B11FC85FB77BA9EB04320F14882EF8A5844B1DB626C91EB10

Function 00C5CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00CA0C40

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 7afc53f8fcc1bb529da007d7141b7df9b4b183edcc6991aaf733cdc1ffec8d04
Instruction ID: 6f69bc1a788794102729c250490c5686b8a54aa22e5a58bc012ea7a3bed81bae
Opcode Fuzzy Hash: 7afc53f8fcc1bb529da007d7141b7df9b4b183edcc6991aaf733cdc1ffec8d04
Instruction Fuzzy Hash: FE3299389003099FCF14DF94C8C1AEDB7B5BF05349F204159E816AB282DB75AE8ADB65

Function 00C8676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C86766,?,?,00000008,?,?,00C8FEFE,00000000), ref: 00C86998

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 540f443a5fa821aaaf695fa7aafa06c69524c2222e87c0946768948004a30817
Instruction ID: 2fffbeea70c18e321ebdf8782e4a3ae357e388a36424d3837abe610f402c6e29
Opcode Fuzzy Hash: 540f443a5fa821aaaf695fa7aafa06c69524c2222e87c0946768948004a30817
Instruction Fuzzy Hash: EEB13C31510608DFD719DF28C48ABA57BE0FF45368F258658E8A9CF2E2C735EA91CB44

Function 00C6B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00CA851F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 27e9d0090bcc185b8414d5272511e8809a1328ec6b36ceb6d3879afc81f7a887
Instruction ID: 33c745173f3f09d8b00c1985fd040c851a08d4a504431680811a36c62c5af15f
Opcode Fuzzy Hash: 27e9d0090bcc185b8414d5272511e8809a1328ec6b36ceb6d3879afc81f7a887
Instruction Fuzzy Hash: F812507590022A9BDB24CF59C8806BEB7B5FF48710F1481AAE849EB255DB309E85DB90

Function 00CCEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00CCEABD

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 66b031558fb5aba72ba158983f86dbc310193698d0e8f2356900ee1c99ce87e0
Instruction ID: 32494bb8f235eb2c731a19cd6f89948718294ca2eb0ff2c913a97963754540c4
Opcode Fuzzy Hash: 66b031558fb5aba72ba158983f86dbc310193698d0e8f2356900ee1c99ce87e0
Instruction Fuzzy Hash: 11E01A352002049FC710EF6AD844E9ABBE9AF99760F00841AFC49CB251DA70A9859B90

Function 00C709D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C703EE), ref: 00C709DA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b99a8807228c0a8a14ff42f5f8b513926bdda71e44c99bada76044ac20b7a5e7
Instruction ID: b995b5f653408638b4a6dec60aa13ecc2a95c730960f6589031ba3f516e054b0
Opcode Fuzzy Hash: b99a8807228c0a8a14ff42f5f8b513926bdda71e44c99bada76044ac20b7a5e7
Instruction Fuzzy Hash:

Function 00C7781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C7798B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: cefb6aca639f5377dcc5323a06575a0fe630343007ce58f986d44635fedbc303
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E651773160C70D9ADB384579C95E7BE27899B02340F18CB19DAAEE72C2C605DF05E393

Function 00C86DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9e887208e91b15f561a8a2eb2231bec9aa911c668f0d317a465023a722f825
Instruction ID: 8de5f67ff68c0c645701dae5d1c17524f84bed74641d67a01a543cac65097085
Opcode Fuzzy Hash: 7d9e887208e91b15f561a8a2eb2231bec9aa911c668f0d317a465023a722f825
Instruction Fuzzy Hash: 42323931D29F014DD723A634CC22339A649AFB73C9F25D737F826B59A5EB29C5838205

Function 00C6CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051d123d345b03e473063eafe4eb93c09351e9cdb1e87e33e9754ffdf9f568dd
Instruction ID: b2852cd4a629438b0b9de6c8b76ee2e58e2e4cd17356671f869915e2492d5b1d
Opcode Fuzzy Hash: 051d123d345b03e473063eafe4eb93c09351e9cdb1e87e33e9754ffdf9f568dd
Instruction Fuzzy Hash: 83322731A0411B9BCF38CF2DC4D46BD77A1EB46318F28856AD4BADB291D630DE81EB50

Function 00C57920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686150f7f70bd25bbc7d8fa360f524cbc66a7ec78918b860e870b1b74b23a4df
Instruction ID: bd003cd23de481a0ef452bbfa7f97e1fe3c357801d4fe7fa09c86a6595bfbf6c
Opcode Fuzzy Hash: 686150f7f70bd25bbc7d8fa360f524cbc66a7ec78918b860e870b1b74b23a4df
Instruction Fuzzy Hash: E22203B0A00609DFDF14CF65D885AAEB7F1FF44300F204229E816E7291EB36AE95DB54

Function 00C591C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e114e4dfed5eefdc0cded56463de222af0bb71e01745962271ffd7b2e32bfd6d
Instruction ID: 48202742b05a2858af2d6c8480eb273dc740c49701769c3a5dd8b0f2acb919d8
Opcode Fuzzy Hash: e114e4dfed5eefdc0cded56463de222af0bb71e01745962271ffd7b2e32bfd6d
Instruction Fuzzy Hash: 3802D5B0E00205EBCF04DF55D885AAEBBB1FF54300F108169E816DB291EB31EA65DB95

Function 00C89EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff476bcf846506c190b1cc45322f7f81e35084825cfe12bddb4360b292052c6
Instruction ID: cc2b1294c0645eba1c99fa57551fdb6ad51c16e5b54e73fba8ae3a1626be806e
Opcode Fuzzy Hash: 2ff476bcf846506c190b1cc45322f7f81e35084825cfe12bddb4360b292052c6
Instruction Fuzzy Hash: 1CB11320E2AF815DD3239639883133AB65CAFBB2D5F91D31BFC1674D72EB2186878141

Function 00C71C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 302cd99e6d122accab3edfcf9de8975014da1dbc0f5ab292183b1300acc3b817
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 229189721080A34ADB2A467E857503DFFE15A523A131E879DDCFACA1C1FE10CA54D620

Function 00C71F32 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: dbceaa954ecdf5c036057f85c9397eb33542de068ca97cbd71b27f8207d38240
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 50917C721090A34EDB2D467E847403DFFE16A923A131E479ED8FACB1C5EE24CA54D620

Function 00C719B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1c03ec18f162d0e04c108dc0ddc0e5b2ead50adf2fb949acd772a1eb55a08aaa
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BC9153722090A34ADB29467E857543DFFE15A923B231E879DD8FACA1C1FE14C754E620

Function 00C77A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3fdd7cb0e0af5a182b4bba372edff800436dfd47c4a71dff247c33b7f2fc69d
Instruction ID: 2324ee58ac34ad401c3edd89de884f5bee8551fcef1696ce9c948bd77c8cd847
Opcode Fuzzy Hash: b3fdd7cb0e0af5a182b4bba372edff800436dfd47c4a71dff247c33b7f2fc69d
Instruction Fuzzy Hash: B4619A3034870DA7EE349A388C9ABBE2394EF41710F10DB19E95FCB281D6119F42E755

Function 00C77CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ab8845c2a4c74f88b8f561cb2d5009ff88be6e60de5696599d1cdb31eaccaf
Instruction ID: 07940fdef4c2679b3833f94c3488afada6bac75084928f949378995eeff94059
Opcode Fuzzy Hash: 19ab8845c2a4c74f88b8f561cb2d5009ff88be6e60de5696599d1cdb31eaccaf
Instruction Fuzzy Hash: C261CD3124870D6BDE384A68485ABBF2384EF62744F10CB59E96FCB281EA12DF46D351

Function 00C71706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1f72c02003a831686c0de5f528df714fbe7c7f9cf67f004d641865982336f620
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 848176325090A309DB6D463E857443EFFE16A923A131E879DDCFACB1C1EE24C755E620

Function 00CC2046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56dfb224bbb2221b3d05f4e706ea8c7da5308d7e9c60ae7c9b1dd87e9bc446f6
Instruction ID: fe56dfa9d487c5f69534de21ea8ffc4a2d59ba586c36895847c01c2de76a0000
Opcode Fuzzy Hash: 56dfb224bbb2221b3d05f4e706ea8c7da5308d7e9c60ae7c9b1dd87e9bc446f6
Instruction Fuzzy Hash: A821B7326206118BD728CF79C823A7E73E5AB64310F15862EE4A7C77D1DE35A905CB90

Function 00CD2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CD2B30
DeleteObject.GDI32(00000000), ref: 00CD2B43
DestroyWindow.USER32 ref: 00CD2B52
GetDesktopWindow.USER32 ref: 00CD2B6D
GetWindowRect.USER32(00000000), ref: 00CD2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CD2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CD2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2CF8
GetClientRect.USER32(00000000,?), ref: 00CD2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CD2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2D80
GlobalLock.KERNEL32(00000000), ref: 00CD2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2D98
GlobalUnlock.KERNEL32(00000000), ref: 00CD2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2DA8
GlobalFree.KERNEL32(00000000), ref: 00CD2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CEFC38,00000000), ref: 00CD2DDB
GlobalFree.KERNEL32(00000000), ref: 00CD2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CD2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CD2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CD303F

Strings

, xrefs: 00CD2FC5
AutoIt v3, xrefs: 00CD2CF2
DISPLAY, xrefs: 00CD2EA2
static, xrefs: 00CD2D3A, 00CD2E91

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 20007da5598a7a7f64b3f223821ed6d1f18557460053badaacfe2391f243e63c
Instruction ID: 36be41bc2d3fa611187d680b5452be0de19a3c194d9c6734622721601d7493dc
Opcode Fuzzy Hash: 20007da5598a7a7f64b3f223821ed6d1f18557460053badaacfe2391f243e63c
Instruction Fuzzy Hash: C8028A75900249AFDB14DFA4CC89FAE7BB9FF48311F008559F915AB2A1DB70AD42CB60

Function 00CE70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CE712F
GetSysColorBrush.USER32(0000000F), ref: 00CE7160
GetSysColor.USER32(0000000F), ref: 00CE716C
SetBkColor.GDI32(?,000000FF), ref: 00CE7186
SelectObject.GDI32(?,?), ref: 00CE7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CE71C0
GetSysColor.USER32(00000010), ref: 00CE71C8
CreateSolidBrush.GDI32(00000000), ref: 00CE71CF
FrameRect.USER32(?,?,00000000), ref: 00CE71DE
DeleteObject.GDI32(00000000), ref: 00CE71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CE7230
FillRect.USER32(?,?,?), ref: 00CE7262
GetWindowLongW.USER32(?,000000F0), ref: 00CE7284

Part of subcall function 00CE73E8: GetSysColor.USER32(00000012), ref: 00CE7421
Part of subcall function 00CE73E8: SetTextColor.GDI32(?,?), ref: 00CE7425
Part of subcall function 00CE73E8: GetSysColorBrush.USER32(0000000F), ref: 00CE743B
Part of subcall function 00CE73E8: GetSysColor.USER32(0000000F), ref: 00CE7446
Part of subcall function 00CE73E8: GetSysColor.USER32(00000011), ref: 00CE7463
Part of subcall function 00CE73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CE7471
Part of subcall function 00CE73E8: SelectObject.GDI32(?,00000000), ref: 00CE7482
Part of subcall function 00CE73E8: SetBkColor.GDI32(?,00000000), ref: 00CE748B
Part of subcall function 00CE73E8: SelectObject.GDI32(?,?), ref: 00CE7498
Part of subcall function 00CE73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CE74B7
Part of subcall function 00CE73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CE74CE
Part of subcall function 00CE73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CE74DB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 963fdd4f5809830bb31c7f8b33b87be17b2acf006f97ad2fc63859239caa2085
Instruction ID: 3454d7a972b13cf16ee33578e3e90507bc44ad31f14993056388b68d6a5b4f7a
Opcode Fuzzy Hash: 963fdd4f5809830bb31c7f8b33b87be17b2acf006f97ad2fc63859239caa2085
Instruction Fuzzy Hash: 22A19D72009381EFDB109F65DC88B6F7BA9FB49320F100B19FA629A1A1D731E946DB51

Function 00C68D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C68E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00CA6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CA6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CA6F43

Part of subcall function 00C68F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C68BE8,?,00000000,?,?,?,?,00C68BBA,00000000,?), ref: 00C68FC5

SendMessageW.USER32(?,00001053), ref: 00CA6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CA6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CA6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00CA6FB7

Strings

0, xrefs: 00CA6DCF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 901edaa0edcd066e404228f73708f6482ec2ca70f5ce48d75c2899394da5dd2a
Instruction ID: 82374dfa64b285b37a9b9bfeef8e72ed1d4f4078b8bf12372e076f46cf242550
Opcode Fuzzy Hash: 901edaa0edcd066e404228f73708f6482ec2ca70f5ce48d75c2899394da5dd2a
Instruction Fuzzy Hash: 2312D238600242DFC721CF24D884BA9B7E5FB56308F188569F4A5CB261CB32ED96DF51

Function 00CD2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00CD273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CD286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CD28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CD28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CD2900
GetClientRect.USER32(00000000,?), ref: 00CD290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CD2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CD2964
GetStockObject.GDI32(00000011), ref: 00CD2974
SelectObject.GDI32(00000000,00000000), ref: 00CD2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CD2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CD2991
DeleteDC.GDI32(00000000), ref: 00CD299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CD29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00CD29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CD2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CD2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00CD2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CD2A77
GetStockObject.GDI32(00000011), ref: 00CD2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CD2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CD2A97

Strings

msctls_progress32, xrefs: 00CD2A13
AutoIt v3, xrefs: 00CD28F8
DISPLAY, xrefs: 00CD295A
static, xrefs: 00CD294F, 00CD2A71

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 10e2436416194a12918aae29af710743d3f574947085a390e5974ee104891272
Instruction ID: 7c1d8f7cf02df2f9bcc35bc23409a4dda271fd45f08ec7b55b1dec8512e22c99
Opcode Fuzzy Hash: 10e2436416194a12918aae29af710743d3f574947085a390e5974ee104891272
Instruction Fuzzy Hash: 21B16D75A00205AFEB24DF68DC85FAE7BA9EB18711F008215FA15EB290D770ED41CBA4

Function 00CC4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CC4AED
GetDriveTypeW.KERNEL32(?,00CECB68,?,\\.\,00CECC08), ref: 00CC4BCA
SetErrorMode.KERNEL32(00000000,00CECB68,?,\\.\,00CECC08), ref: 00CC4D36

Strings

SSD, xrefs: 00CC4C4A
1394, xrefs: 00CC4C9F
SCSI, xrefs: 00CC4C8A
ATA, xrefs: 00CC4C98
SATA, xrefs: 00CC4CD0
USB, xrefs: 00CC4CB4
ATAPI, xrefs: 00CC4C91
Removable, xrefs: 00CC4C10, 00CC4C15
SSA, xrefs: 00CC4CA6
iSCSI, xrefs: 00CC4CC2
Fibre, xrefs: 00CC4CAD
RAID, xrefs: 00CC4CBB
CDROM, xrefs: 00CC4BFB
SAS, xrefs: 00CC4CC9
\\.\, xrefs: 00CC4B3F
PhysicalDrive, xrefs: 00CC4B76
FileBackedVirtual, xrefs: 00CC4CEC
Unknown, xrefs: 00CC4BED, 00CC4C83
Network, xrefs: 00CC4C02
RAMDisk, xrefs: 00CC4BF4
Fixed, xrefs: 00CC4C09
MMC, xrefs: 00CC4CDE
Virtual, xrefs: 00CC4CE5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: dd5cb70ab8bd9d362b37d55329e2239d3f2e272cb8a3aac48c363a53c2e14fb9
Instruction ID: dc67a90e06a643473ae76c93d472f7b5dddb11988b55ebd784bbac10063fce2a
Opcode Fuzzy Hash: dd5cb70ab8bd9d362b37d55329e2239d3f2e272cb8a3aac48c363a53c2e14fb9
Instruction Fuzzy Hash: AA61B130605105EFCB18DF25EAA2FAD77B1AB04340B20C45DF806AB6A1DE31EE85EB51

Function 00CE73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CE7421
SetTextColor.GDI32(?,?), ref: 00CE7425
GetSysColorBrush.USER32(0000000F), ref: 00CE743B
GetSysColor.USER32(0000000F), ref: 00CE7446
CreateSolidBrush.GDI32(?), ref: 00CE744B
GetSysColor.USER32(00000011), ref: 00CE7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CE7471
SelectObject.GDI32(?,00000000), ref: 00CE7482
SetBkColor.GDI32(?,00000000), ref: 00CE748B
SelectObject.GDI32(?,?), ref: 00CE7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CE74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CE74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CE74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CE752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CE7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CE7572
DrawFocusRect.USER32(?,?), ref: 00CE757D
GetSysColor.USER32(00000011), ref: 00CE758E
SetTextColor.GDI32(?,00000000), ref: 00CE7596
DrawTextW.USER32(?,00CE70F5,000000FF,?,00000000), ref: 00CE75A8
SelectObject.GDI32(?,?), ref: 00CE75BF
DeleteObject.GDI32(?), ref: 00CE75CA
SelectObject.GDI32(?,?), ref: 00CE75D0
DeleteObject.GDI32(?), ref: 00CE75D5
SetTextColor.GDI32(?,?), ref: 00CE75DB
SetBkColor.GDI32(?,?), ref: 00CE75E5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 30862cf20c08f7bc2ec45ab5e45444c3585653a66f75d2464e7b7d85039ab2f2
Instruction ID: 3601c1222f08040752d8495ab5b324252941b2cff6a1b3b198aad7fa4b8a619e
Opcode Fuzzy Hash: 30862cf20c08f7bc2ec45ab5e45444c3585653a66f75d2464e7b7d85039ab2f2
Instruction Fuzzy Hash: FB617E72901258AFDF019FA4DC89FEE7FB9EB08320F114215F921AB2A1D7709941DF90

Function 00CE0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CE1128
GetDesktopWindow.USER32 ref: 00CE113D
GetWindowRect.USER32(00000000), ref: 00CE1144
GetWindowLongW.USER32(?,000000F0), ref: 00CE1199
DestroyWindow.USER32(?), ref: 00CE11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CE11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CE120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CE121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CE1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CE1245
IsWindowVisible.USER32(00000000), ref: 00CE12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CE12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CE12D0
GetWindowRect.USER32(00000000,?), ref: 00CE12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CE130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CE1328
CopyRect.USER32(?,?), ref: 00CE133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CE13AA

Strings

tooltips_class32, xrefs: 00CE11E6
(, xrefs: 00CE131B
0, xrefs: 00CE10D3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: de4b239ab637fc174ddaf5fdeafc929cf72bea4a8a575949346347bc62e5d42a
Instruction ID: e8580f956047b7512c349db77157b7f69868047348030080d6059ed763a86187
Opcode Fuzzy Hash: de4b239ab637fc174ddaf5fdeafc929cf72bea4a8a575949346347bc62e5d42a
Instruction Fuzzy Hash: 06B19B71604381AFD714DF65C884B6FBBE4FF84310F048918F9999B2A1C731E855CB96

Function 00CE0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CE02E5
_wcslen.LIBCMT ref: 00CE031F
_wcslen.LIBCMT ref: 00CE0389
_wcslen.LIBCMT ref: 00CE03F1
_wcslen.LIBCMT ref: 00CE0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CE04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CE0504

Part of subcall function 00C6F9F2: _wcslen.LIBCMT ref: 00C6F9FD

Part of subcall function 00CB223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CB2258
Part of subcall function 00CB223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CB228A

Strings

FINDITEM, xrefs: 00CE0627
SELECTALL, xrefs: 00CE0515
SELECTCLEAR, xrefs: 00CE052D
GETTEXT, xrefs: 00CE03EC, 00CE0407
ISSELECTED, xrefs: 00CE04DD
VIEWCHANGE, xrefs: 00CE0675
GETSUBITEMCOUNT, xrefs: 00CE0384, 00CE039F
GETSELECTEDCOUNT, xrefs: 00CE0470, 00CE048B
GETITEMCOUNT, xrefs: 00CE0316, 00CE0337
SELECTINVERT, xrefs: 00CE057E
SELECT, xrefs: 00CE0548
DESELECT, xrefs: 00CE059C
GETSELECTED, xrefs: 00CE05E1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 744d48a11752b096db0f9c7c47ac4c839d09a396b152f39f443f724fe4043292
Instruction ID: f711b723a4f59124d9b0ff80adb56f9823ed55e92f865201b0275cfdcd80f7fc
Opcode Fuzzy Hash: 744d48a11752b096db0f9c7c47ac4c839d09a396b152f39f443f724fe4043292
Instruction Fuzzy Hash: 87E1D1312083819FC714DF26C59196EB3E6BF88314F24495CF8A69B3A1DB70EE85DB91

Function 00C68891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C68968
GetSystemMetrics.USER32(00000007), ref: 00C68970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C6899B
GetSystemMetrics.USER32(00000008), ref: 00C689A3
GetSystemMetrics.USER32(00000004), ref: 00C689C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C689E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C689F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C68A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C68A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C68A5A
GetStockObject.GDI32(00000011), ref: 00C68A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C68A81

Part of subcall function 00C6912D: GetCursorPos.USER32(?), ref: 00C69141
Part of subcall function 00C6912D: ScreenToClient.USER32(00000000,?), ref: 00C6915E
Part of subcall function 00C6912D: GetAsyncKeyState.USER32(00000001), ref: 00C69183
Part of subcall function 00C6912D: GetAsyncKeyState.USER32(00000002), ref: 00C6919D

SetTimer.USER32(00000000,00000000,00000028,00C690FC), ref: 00C68AA8

Strings

AutoIt v3 GUI, xrefs: 00C68A20

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 40458079662e32383b90f9195aeb8d630436c85e9cb3d3a36978b4715d346310
Instruction ID: 5c529daa6374662e8d0158436c51dc69984face322207650663322115aec0830
Opcode Fuzzy Hash: 40458079662e32383b90f9195aeb8d630436c85e9cb3d3a36978b4715d346310
Instruction Fuzzy Hash: D4B19F75A0024A9FDF24DFA8CC85BAE7BB4FB58314F144219FA25EB290DB34A941CF50

Function 00CB0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CB1114
Part of subcall function 00CB10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB1120
Part of subcall function 00CB10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB112F
Part of subcall function 00CB10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB1136
Part of subcall function 00CB10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CB114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CB0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CB0E29
GetLengthSid.ADVAPI32(?), ref: 00CB0E40
GetAce.ADVAPI32(?,00000000,?), ref: 00CB0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CB0E96
GetLengthSid.ADVAPI32(?), ref: 00CB0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CB0EB5
HeapAlloc.KERNEL32(00000000), ref: 00CB0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CB0EDD
CopySid.ADVAPI32(00000000), ref: 00CB0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CB0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CB0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CB0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB0F6E
HeapFree.KERNEL32(00000000), ref: 00CB0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB0F7E
HeapFree.KERNEL32(00000000), ref: 00CB0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB0F8E
HeapFree.KERNEL32(00000000), ref: 00CB0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00CB0FA1
HeapFree.KERNEL32(00000000), ref: 00CB0FA8

Part of subcall function 00CB1193: GetProcessHeap.KERNEL32(00000008,00CB0BB1,?,00000000,?,00CB0BB1,?), ref: 00CB11A1
Part of subcall function 00CB1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CB0BB1,?), ref: 00CB11A8
Part of subcall function 00CB1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CB0BB1,?), ref: 00CB11B7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: b19078c15f64c81e027245130d186b6e05382251bfe5e6117fac4756f592ca21
Instruction ID: 4efa2184f6226a0bac206d53c22e57b606d770c0c935f8b9cc99b1b92b02aa96
Opcode Fuzzy Hash: b19078c15f64c81e027245130d186b6e05382251bfe5e6117fac4756f592ca21
Instruction Fuzzy Hash: 8A715D72A0024AABDF20DFA4DC85FEFBBB8BF05301F148155F969AA191D7319E15CB60

Function 00CDC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CECC08,00000000,?,00000000,?,?), ref: 00CDC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CDC5A4
_wcslen.LIBCMT ref: 00CDC5F4
_wcslen.LIBCMT ref: 00CDC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CDC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CDC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CDC84D
RegCloseKey.ADVAPI32(?), ref: 00CDC881
RegCloseKey.ADVAPI32(00000000), ref: 00CDC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CDC960

Strings

REG_MULTI_SZ, xrefs: 00CDC6F5
REG_BINARY, xrefs: 00CDC913
REG_SZ, xrefs: 00CDC644
REG_DWORD, xrefs: 00CDC804
REG_EXPAND_SZ, xrefs: 00CDC5CD
REG_QWORD, xrefs: 00CDC8C3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f0abf38c7f197558aaa07a3618dadd70a74411a8d95c85d73d396fc72371adf6
Instruction ID: 94e9f2d588d58ca01ae2f8428df99f47f0051877d07d7eeeaac510001b25be92
Opcode Fuzzy Hash: f0abf38c7f197558aaa07a3618dadd70a74411a8d95c85d73d396fc72371adf6
Instruction Fuzzy Hash: C31278356042019FCB14DF14D881F2AB7E5EF88324F04899DF99A9B3A2DB31ED85DB85

Function 00CE091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CE09C6
_wcslen.LIBCMT ref: 00CE0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CE0A54
_wcslen.LIBCMT ref: 00CE0A8A
_wcslen.LIBCMT ref: 00CE0B06
_wcslen.LIBCMT ref: 00CE0B81

Part of subcall function 00C6F9F2: _wcslen.LIBCMT ref: 00C6F9FD

Part of subcall function 00CB2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CB2BFA

Strings

ISCHECKED, xrefs: 00CE0CE1
CHECK, xrefs: 00CE0A85, 00CE0AA0
EXPAND, xrefs: 00CE0BF8
GETTOTALCOUNT, xrefs: 00CE09F2, 00CE0A17
COLLAPSE, xrefs: 00CE0B01, 00CE0B1C
EXISTS, xrefs: 00CE0B7C, 00CE0B97
GETITEMCOUNT, xrefs: 00CE0C1E
GETTEXT, xrefs: 00CE0C97
SELECT, xrefs: 00CE0D11
UNCHECK, xrefs: 00CE0D3E
GETSELECTED, xrefs: 00CE0C4E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ba7b6b04f7a4b40dfca19b4f8f565d862eb18b47d669be5c82c3215cf5e5c440
Instruction ID: dba57bc69e479a3ece2492dcec9a1c6b521c143d180491d206e64b98ed8d1a96
Opcode Fuzzy Hash: ba7b6b04f7a4b40dfca19b4f8f565d862eb18b47d669be5c82c3215cf5e5c440
Instruction Fuzzy Hash: 63E1B0352083819FC714DF26C49096AB7E1FF94314F24495CF8A69B362DB70EE85DB91

Function 00CDC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDB6AE,?,?), ref: 00CDC9B5
_wcslen.LIBCMT ref: 00CDC9F1
_wcslen.LIBCMT ref: 00CDCA68
_wcslen.LIBCMT ref: 00CDCA9E
_wcslen.LIBCMT ref: 00CDCAF9
_wcslen.LIBCMT ref: 00CDCB2F
_wcslen.LIBCMT ref: 00CDCB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00CDCA62, 00CDCA67
HKU, xrefs: 00CDCBF0
HKEY_CURRENT_CONFIG, xrefs: 00CDCB79, 00CDCB7E
HKCC, xrefs: 00CDCBAC
HKEY_CLASSES_ROOT, xrefs: 00CDCAF3, 00CDCAF8
HKEY_USERS, xrefs: 00CDCBDF
HKLM, xrefs: 00CDCA98, 00CDCA9D
HKCU, xrefs: 00CDCBCE
HKEY_CURRENT_USER, xrefs: 00CDCBBD
HKCR, xrefs: 00CDCB29, 00CDCB2E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: d6c13b9b29b0cdc8207b7acb92b71d5a2e2401393e52f6092949027bebe5a066
Instruction ID: c1efa2516c99d3f29e39a607e21e0aa65bd3711a770bb33d49c42ca17123e74d
Opcode Fuzzy Hash: d6c13b9b29b0cdc8207b7acb92b71d5a2e2401393e52f6092949027bebe5a066
Instruction Fuzzy Hash: D071073261016B9BCB20DE78D9C15BF33A59BA0750F11052BFE7997394EA31CE85E3A0

Function 00CE833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CE835A
_wcslen.LIBCMT ref: 00CE836E
_wcslen.LIBCMT ref: 00CE8391
_wcslen.LIBCMT ref: 00CE83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CE83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00CE5BF2), ref: 00CE844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CE8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CE84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CE8501
FreeLibrary.KERNEL32(?), ref: 00CE850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CE851D
DestroyIcon.USER32(?,?,?,?,?,00CE5BF2), ref: 00CE852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CE8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CE8555

Strings

.dll, xrefs: 00CE83AB
.exe, xrefs: 00CE8388
.icl, xrefs: 00CE8368

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 61c310c333d2bf7b3aece0727491e7606a2f6ee5549e0d9730cf1a38fb513168
Instruction ID: 9b4b4a3cc6243f824ea994c040eecfc64b5998eca974e6316e537e2226b97d53
Opcode Fuzzy Hash: 61c310c333d2bf7b3aece0727491e7606a2f6ee5549e0d9730cf1a38fb513168
Instruction Fuzzy Hash: 2361D071540245BEEB14DF65CC81BFE77A8FB04721F108609F929EA0D1DF74AA84D7A0

Function 00C57778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-end, xrefs: 00C578D9
#OnAutoItStartRegister, xrefs: 00C57817
#ce, xrefs: 00C578ED
Cannot parse #include, xrefs: 00C95279
Bad directive syntax error, xrefs: 00C9519A
Unterminated group of comments, xrefs: 00C9528C
#comments-start, xrefs: 00C5785F, 00C578B1
#include, xrefs: 00C57847
#pragma compile, xrefs: 00C577D3
', xrefs: 00C95169
", xrefs: 00C95153
#cs, xrefs: 00C57873, 00C578C5
#requireadmin, xrefs: 00C577FF
#notrayicon, xrefs: 00C577E7
#include-once, xrefs: 00C5782F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 0f216a0c66eefbd2ef56398b7bb55aab3a7c9803a8860aaa6db0e94f574775b2
Instruction ID: 12c57c540d4e042445e7563957d696d44bded9a788f8dcf629caf952497fc58d
Opcode Fuzzy Hash: 0f216a0c66eefbd2ef56398b7bb55aab3a7c9803a8860aaa6db0e94f574775b2
Instruction Fuzzy Hash: 8A812875640605BBDF22AF61EC46FAE37A8EF14340F104024FD14AA192EB70DBC9D7A5

Function 00CC3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00CC3EF8
_wcslen.LIBCMT ref: 00CC3F03
_wcslen.LIBCMT ref: 00CC3F5A
_wcslen.LIBCMT ref: 00CC3F98
GetDriveTypeW.KERNEL32(?), ref: 00CC3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CC4087

Strings

set cd door , xrefs: 00CC4028
wait, xrefs: 00CC4044
open, xrefs: 00CC3F54, 00CC3F59
close cd wait, xrefs: 00CC4072
type cdaudio alias cd wait, xrefs: 00CC4001
closed, xrefs: 00CC3F08, 00CC3F2D, 00CC3F46, 00CC3F7E, 00CC3F97
open , xrefs: 00CC3FE5
close, xrefs: 00CC3EFE, 00CC3F18

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: d3ca4034c5742809dbb1d48f7ec65f22fc1d63e21e00b37242c1a24811f4044b
Instruction ID: b5cd1f622b5d01e52f60d9cdc7680be12b6eff7ed73cf867ca61d406988a1b71
Opcode Fuzzy Hash: d3ca4034c5742809dbb1d48f7ec65f22fc1d63e21e00b37242c1a24811f4044b
Instruction Fuzzy Hash: BB71E2326043019FC310EF24D891AAAB7F4EF94754F40896DF9A597261EB30EE89DB91

Function 00CB5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00CB5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CB5A40
SetWindowTextW.USER32(?,?), ref: 00CB5A57
GetDlgItem.USER32(?,000003EA), ref: 00CB5A6C
SetWindowTextW.USER32(00000000,?), ref: 00CB5A72
GetDlgItem.USER32(?,000003E9), ref: 00CB5A82
SetWindowTextW.USER32(00000000,?), ref: 00CB5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CB5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CB5AC3
GetWindowRect.USER32(?,?), ref: 00CB5ACC
_wcslen.LIBCMT ref: 00CB5B33
SetWindowTextW.USER32(?,?), ref: 00CB5B6F
GetDesktopWindow.USER32 ref: 00CB5B75
GetWindowRect.USER32(00000000), ref: 00CB5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CB5BD3
GetClientRect.USER32(?,?), ref: 00CB5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00CB5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CB5C2F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: fc102490dc562830c556262f3ab62c122b18eaa8cec1f6bfadc48abebd1fbd97
Instruction ID: f2f5e15a023461e2bba295eb5e41fb9ef161f784e6c7d9994288e49fb20dd779
Opcode Fuzzy Hash: fc102490dc562830c556262f3ab62c122b18eaa8cec1f6bfadc48abebd1fbd97
Instruction Fuzzy Hash: 16717C31900B09AFDB20DFA9CE85BAEBBF5FF48704F104918E592A65A0D775EA41CB50

Function 00CCFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00CCFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 00CCFE32
LoadCursorW.USER32(00000000,00007F00), ref: 00CCFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 00CCFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 00CCFE53
LoadCursorW.USER32(00000000,00007F01), ref: 00CCFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 00CCFE69
LoadCursorW.USER32(00000000,00007F88), ref: 00CCFE74
LoadCursorW.USER32(00000000,00007F80), ref: 00CCFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 00CCFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 00CCFE95
LoadCursorW.USER32(00000000,00007F85), ref: 00CCFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 00CCFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 00CCFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 00CCFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 00CCFECC
GetCursorInfo.USER32(?), ref: 00CCFEDC
GetLastError.KERNEL32 ref: 00CCFF1E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 079707ccc54883896401ce3f8c5b0423029cc49bd36f757b9c106e10c18b10e7
Instruction ID: 51d75b47b7fe9b34ae4b0332d91f7c95052af00494f5d023f830a19dda81cd2f
Opcode Fuzzy Hash: 079707ccc54883896401ce3f8c5b0423029cc49bd36f757b9c106e10c18b10e7
Instruction Fuzzy Hash: 4D4151B0D043196ADB109FBACCC9D5EBFE9FF04354B50452EE119EB291DB78A902CE91

Function 00C700C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C700C6

Part of subcall function 00C700ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00D2070C,00000FA0,C07459F6,?,?,?,?,00C923B3,000000FF), ref: 00C7011C
Part of subcall function 00C700ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C923B3,000000FF), ref: 00C70127
Part of subcall function 00C700ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C923B3,000000FF), ref: 00C70138
Part of subcall function 00C700ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C7014E
Part of subcall function 00C700ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C7015C
Part of subcall function 00C700ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C7016A
Part of subcall function 00C700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C70195
Part of subcall function 00C700ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C701A0

___scrt_fastfail.LIBCMT ref: 00C700E7

Part of subcall function 00C700A3: __onexit.LIBCMT ref: 00C700A9

Strings

WakeAllConditionVariable, xrefs: 00C70162
SleepConditionVariableCS, xrefs: 00C70154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C70122
InitializeConditionVariable, xrefs: 00C70148
kernel32.dll, xrefs: 00C70133

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 6fcba571264c4095e262ac5fa8e556a296f748da3cc650034aa499f2e31917c3
Instruction ID: 029f8c8585ae96d8dd898decd7154c49f2be96314ed8aa05983bda7a029c4b62
Opcode Fuzzy Hash: 6fcba571264c4095e262ac5fa8e556a296f748da3cc650034aa499f2e31917c3
Instruction Fuzzy Hash: 5E21F973644750EFD7215B64AC86B6E3B98EB04B61F20813DF815E76D1DB6099018BA0

Function 00CB30F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB318D
_wcslen.LIBCMT ref: 00CB31F8

Strings

CLASS, xrefs: 00CB3188, 00CB31A5
NAME, xrefs: 00CB3335, 00CB3346
CLASSNN, xrefs: 00CB31F3, 00CB3204
REGEXPCLASS, xrefs: 00CB3255, 00CB3266
TEXT, xrefs: 00CB347C
INSTANCE, xrefs: 00CB3453

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 45e8b30c47c9b361a0d0b530f10671485ce1181919dbfdd52fde29c0073c5c8b
Instruction ID: 2f4b8263466895cef2d6eb6d69e3803eedb27ff6879641124981002cc87ca0fc
Opcode Fuzzy Hash: 45e8b30c47c9b361a0d0b530f10671485ce1181919dbfdd52fde29c0073c5c8b
Instruction Fuzzy Hash: 0DE1F731A00556EBCF299FB8C8517EEBBB4BF54710F548119E466B7240DF30AF899BA0

Function 00CC44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CECC08), ref: 00CC4527
_wcslen.LIBCMT ref: 00CC453B
_wcslen.LIBCMT ref: 00CC4599
_wcslen.LIBCMT ref: 00CC45F4
_wcslen.LIBCMT ref: 00CC463F
_wcslen.LIBCMT ref: 00CC46A7

Part of subcall function 00C6F9F2: _wcslen.LIBCMT ref: 00C6F9FD

GetDriveTypeW.KERNEL32(?,00D16BF0,00000061), ref: 00CC4743

Strings

network, xrefs: 00CC469D, 00CC46A2
unknown, xrefs: 00CC4708
all, xrefs: 00CC4531, 00CC4536
cdrom, xrefs: 00CC458F, 00CC4594
removable, xrefs: 00CC45EA, 00CC45EF
ramdisk, xrefs: 00CC46F1
fixed, xrefs: 00CC4635, 00CC463A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 762428b1381dac9dee78687065cda8d5d1739869a6cba40c07ec79a94245fcb0
Instruction ID: d5e90001d602d9624ee219a173f84794334c29ba46134983173b1c1d495c1ed2
Opcode Fuzzy Hash: 762428b1381dac9dee78687065cda8d5d1739869a6cba40c07ec79a94245fcb0
Instruction Fuzzy Hash: 6CB1F3316083029FC718DF28D8A0F6EB7E5AFA5760F50891DF4A6C7295DB30D985CB62

Function 00CD3FE9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00CECC08), ref: 00CD40BB
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CD40CD
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00CECC08), ref: 00CD40F2
FreeLibrary.KERNEL32(00000000,?,00CECC08), ref: 00CD413E
StringFromGUID2.OLE32(?,?,00000028,?,00CECC08), ref: 00CD41A8
SysFreeString.OLEAUT32(00000009), ref: 00CD4262
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CD42C8
SysFreeString.OLEAUT32(?), ref: 00CD42F2

Strings

kernel32.dll, xrefs: 00CD40B6
GetModuleHandleExW, xrefs: 00CD40C7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 3308d3dcdc1d600f57f1c26429fd65c901012db98e23f09caf95a725b8646a9d
Instruction ID: 59fd094db11fb26e3f181aed54f01023e2622873db8c3c4f8db44fc75fe79fea
Opcode Fuzzy Hash: 3308d3dcdc1d600f57f1c26429fd65c901012db98e23f09caf95a725b8646a9d
Instruction Fuzzy Hash: C4124C75A00115EFDB18CF94C884EAEB7B5FF45314F248099FA15AB261D731EE86CBA0

Function 00C5326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00D21990), ref: 00C92F8D
GetMenuItemCount.USER32(00D21990), ref: 00C9303D
GetCursorPos.USER32(?), ref: 00C93081
SetForegroundWindow.USER32(00000000), ref: 00C9308A
TrackPopupMenuEx.USER32(00D21990,00000000,?,00000000,00000000,00000000), ref: 00C9309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C930A9

Strings

0, xrefs: 00C5327D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b1d0cb20d6a11861d9f00f5b09ab50b78c94696eedbd7a9ec7ee1ae476e71a6a
Instruction ID: 9d12fc75b55bbbdb3c01021298a8a1103b837aa152d7b6ab88ee786e766f0baa
Opcode Fuzzy Hash: b1d0cb20d6a11861d9f00f5b09ab50b78c94696eedbd7a9ec7ee1ae476e71a6a
Instruction Fuzzy Hash: 95712930640256BEEF218F65CC8DFAABF64FF04364F204216F925AA1E1C7B1AE54DB54

Function 00CE6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00CE6DEB

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CE6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CE6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CE6E94
DestroyWindow.USER32(?), ref: 00CE6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C50000,00000000), ref: 00CE6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CE6EFD
GetDesktopWindow.USER32 ref: 00CE6F16
GetWindowRect.USER32(00000000), ref: 00CE6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CE6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CE6F4D

Part of subcall function 00C69944: GetWindowLongW.USER32(?,000000EB), ref: 00C69952

Strings

tooltips_class32, xrefs: 00CE6E58, 00CE6EDD
0, xrefs: 00CE6D98

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: fe45a7dd26ed1c1a010700e1f08b1142d11bf012a2b2c5fc45ccca9971d4f42b
Instruction ID: c5c3941c2a916ada53309f843a64c5b41bd86ec409d5ac7c32849b1a46a06374
Opcode Fuzzy Hash: fe45a7dd26ed1c1a010700e1f08b1142d11bf012a2b2c5fc45ccca9971d4f42b
Instruction Fuzzy Hash: 66716874104384AFDB21CF19D884BAABBE9FBA9344F04441DF9A9872A1C770AE46DF11

Function 00CE911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

DragQueryPoint.SHELL32(?,?), ref: 00CE9147

Part of subcall function 00CE7674: ClientToScreen.USER32(?,?), ref: 00CE769A
Part of subcall function 00CE7674: GetWindowRect.USER32(?,?), ref: 00CE7710
Part of subcall function 00CE7674: PtInRect.USER32(?,?,00CE8B89), ref: 00CE7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CE91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CE91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CE91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CE9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CE923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CE9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CE9277
DragFinish.SHELL32(?), ref: 00CE927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CE9371

Strings

@GUI_DROPID, xrefs: 00CE929E
@GUI_DRAGID, xrefs: 00CE92E9
@GUI_DRAGFILE, xrefs: 00CE9320

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 433110863f39081ada470dec49a946ba8fbebf72ebf7860fe747e4bb2b359cd5
Instruction ID: 272cad651a95b305ad07bd1accb4a99c5f6b745c159806bf66ea47f388cd50e2
Opcode Fuzzy Hash: 433110863f39081ada470dec49a946ba8fbebf72ebf7860fe747e4bb2b359cd5
Instruction Fuzzy Hash: 1C618C71108341AFC701DF65DC85EAFBBE8EF99750F000A1DF991961A1DB309A49CB66

Function 00CCC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CCC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CCC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CCC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CCC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CCC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CCC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CCC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CCC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CCC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CCC5F0
InternetCloseHandle.WININET(00000000), ref: 00CCC5FB

Strings

, xrefs: 00CCC575

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4ff279250d1e0fbcafb862690c323088be2d3348da0387df54c0c9dc95b03dcc
Instruction ID: 5dcfe711d74236d34ba6db905b362b832f46c90af52283c9081a3d82fc6452ce
Opcode Fuzzy Hash: 4ff279250d1e0fbcafb862690c323088be2d3348da0387df54c0c9dc95b03dcc
Instruction Fuzzy Hash: 1C5139B1500648BFDB218F65C9C8FAB7BBCFB08754F00841EF95AD6650DB34EA45AB60

Function 00CE856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00CE8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE85BA
GlobalLock.KERNEL32(00000000), ref: 00CE85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CE85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00CE85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00CEFC38,?), ref: 00CE8611
GlobalFree.KERNEL32(00000000), ref: 00CE8621
GetObjectW.GDI32(?,00000018,?), ref: 00CE8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CE8671
DeleteObject.GDI32(?), ref: 00CE8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CE86AF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c30b0fcb418ec7935501ce77cb3bd46f683db73282321afc977ae6ab89a74446
Instruction ID: a47061c79885168dcf516daed323238dbaed3871f70400bd58bec3c38c80a9e8
Opcode Fuzzy Hash: c30b0fcb418ec7935501ce77cb3bd46f683db73282321afc977ae6ab89a74446
Instruction Fuzzy Hash: D6410A75600244AFDB11DFA5CC88FAE7BBCEF89715F104059F919EB260DB309A06DB60

Function 00CC14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00CC1502
VariantCopy.OLEAUT32(?,?), ref: 00CC150B
VariantClear.OLEAUT32(?), ref: 00CC1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00CC15FB
VarR8FromDec.OLEAUT32(?,?), ref: 00CC1657
VariantInit.OLEAUT32(?), ref: 00CC1708
SysFreeString.OLEAUT32(?), ref: 00CC178C
VariantClear.OLEAUT32(?), ref: 00CC17D8
VariantClear.OLEAUT32(?), ref: 00CC17E7
VariantInit.OLEAUT32(00000000), ref: 00CC1823

Strings

Default, xrefs: 00CC16AF
%4d%02d%02d%02d%02d%02d, xrefs: 00CC1625

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 51883e3d625348d6617c0fe13442e745fa5d3ee9b50e17540a7152dd52710156
Instruction ID: 816b80d7417cd40592b41d55176aa5eb3fed86b96d15edaf542850e0a047c5aa
Opcode Fuzzy Hash: 51883e3d625348d6617c0fe13442e745fa5d3ee9b50e17540a7152dd52710156
Instruction Fuzzy Hash: 0ED1F071A00215DBCB109F67E885F7DB7B5BF46700F58809AEC06AB182DB30ED45EB61

Function 00CDB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDB6AE,?,?), ref: 00CDC9B5
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDC9F1
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA68
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CDB772
RegDeleteValueW.ADVAPI32(?,?), ref: 00CDB80A
RegCloseKey.ADVAPI32(?), ref: 00CDB87E
RegCloseKey.ADVAPI32(?), ref: 00CDB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CDB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CDB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00CDB922
FreeLibrary.KERNEL32(00000000), ref: 00CDB983
RegCloseKey.ADVAPI32(00000000), ref: 00CDB994

Strings

RegDeleteKeyExW, xrefs: 00CDB8FE
advapi32.dll, xrefs: 00CDB8ED

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 3e47b87ae6e12594aed6c76a50d602a541805328c71cd407e1394840d43075e3
Instruction ID: b95a0ae6ca690b3956996d07c73a7c0e596c36bda9aa92cc5a5a87a181c37dab
Opcode Fuzzy Hash: 3e47b87ae6e12594aed6c76a50d602a541805328c71cd407e1394840d43075e3
Instruction Fuzzy Hash: 53C18B34204241EFD710DF14C894F2ABBE1EF84318F15859DE5AA4B3A2CB31ED86DB91

Function 00CD255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CD25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CD25E8
CreateCompatibleDC.GDI32(?), ref: 00CD25F4
SelectObject.GDI32(00000000,?), ref: 00CD2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CD266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CD26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CD26D0
SelectObject.GDI32(?,?), ref: 00CD26D8
DeleteObject.GDI32(?), ref: 00CD26E1
DeleteDC.GDI32(?), ref: 00CD26E8
ReleaseDC.USER32(00000000,?), ref: 00CD26F3

Strings

(, xrefs: 00CD268D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 95f1762163962b7328a61d1adcc48046ab744a447027a4a9213f559331de368b
Instruction ID: 8dbd97464e647b58c2f4560c4fda056fbef56c88bea65c5fdd278fea35b24c2e
Opcode Fuzzy Hash: 95f1762163962b7328a61d1adcc48046ab744a447027a4a9213f559331de368b
Instruction Fuzzy Hash: CB61E175D00219EFCF14CFA8D884AAEBBB5FF48310F20852AEA55A7350D770A942DF60

Function 00C8DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C8DAA1

Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D659
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D66B
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D67D
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D68F
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D6A1
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D6B3
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D6C5
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D6D7
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D6E9
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D6FB
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D70D
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D71F
Part of subcall function 00C8D63C: _free.LIBCMT ref: 00C8D731

_free.LIBCMT ref: 00C8DA96

Part of subcall function 00C829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000), ref: 00C829DE
Part of subcall function 00C829C8: GetLastError.KERNEL32(00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000,00000000), ref: 00C829F0

_free.LIBCMT ref: 00C8DAB8
_free.LIBCMT ref: 00C8DACD
_free.LIBCMT ref: 00C8DAD8
_free.LIBCMT ref: 00C8DAFA
_free.LIBCMT ref: 00C8DB0D
_free.LIBCMT ref: 00C8DB1B
_free.LIBCMT ref: 00C8DB26
_free.LIBCMT ref: 00C8DB5E
_free.LIBCMT ref: 00C8DB65
_free.LIBCMT ref: 00C8DB82
_free.LIBCMT ref: 00C8DB9A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7e60b02a5b6f62b9b5d4fbcd63617535fcf3b6d2166b0e9ba3e2f765b15eb97a
Instruction ID: 06cb394f4d6963d5c4caa7c0c2afc35aca94a1650804e1048e0fe7628d426742
Opcode Fuzzy Hash: 7e60b02a5b6f62b9b5d4fbcd63617535fcf3b6d2166b0e9ba3e2f765b15eb97a
Instruction Fuzzy Hash: D3316F316043049FDB25BA39E845BA677E9FF00319F224419F46AD71D1DF34ED80A728

Function 00CB365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00CB369C
_wcslen.LIBCMT ref: 00CB36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00CB3797
GetClassNameW.USER32(?,?,00000400), ref: 00CB380C
GetDlgCtrlID.USER32(?), ref: 00CB385D
GetWindowRect.USER32(?,?), ref: 00CB3882
GetParent.USER32(?), ref: 00CB38A0
ScreenToClient.USER32(00000000), ref: 00CB38A7
GetClassNameW.USER32(?,?,00000100), ref: 00CB3921
GetWindowTextW.USER32(?,?,00000400), ref: 00CB395D

Strings

%s%u, xrefs: 00CB3734

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 5f413c0e8cc3978cfa9027a578a5b343e1ff24c40deefa9a00e87a491d4d75dd
Instruction ID: 9f699bbef1ad98b4f9fe9677d1b5ca83727bc65f98daa3dca01a9c417334f676
Opcode Fuzzy Hash: 5f413c0e8cc3978cfa9027a578a5b343e1ff24c40deefa9a00e87a491d4d75dd
Instruction Fuzzy Hash: 1191D071604746AFD719DF64C885BEAB7A8FF44300F008629F9A9D2190EB30EB46CB91

Function 00CB4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00CB4994
GetWindowTextW.USER32(?,?,00000400), ref: 00CB49DA
_wcslen.LIBCMT ref: 00CB49EB
CharUpperBuffW.USER32(?,00000000), ref: 00CB49F7
_wcsstr.LIBVCRUNTIME ref: 00CB4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00CB4A64
GetWindowTextW.USER32(?,?,00000400), ref: 00CB4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00CB4AE6
GetClassNameW.USER32(?,?,00000400), ref: 00CB4B20
GetWindowRect.USER32(?,?), ref: 00CB4B8B

Strings

ThumbnailClass, xrefs: 00CB4A6F, 00CB4AF1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 94cacc44affb110df3b7d388510db70ec25d28f4937e0d1fee386309b1382782
Instruction ID: e95077b4ae7f8eb4fd4e2ee3a0bce3ccec76c20c0f50c8d6652fcef9dc89a7ba
Opcode Fuzzy Hash: 94cacc44affb110df3b7d388510db70ec25d28f4937e0d1fee386309b1382782
Instruction Fuzzy Hash: 8691BD720082059FDB08CF14C981FEA7BE8FF84714F048469FE959A196DB34EE46CBA1

Function 00CE8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CE8D5A
GetFocus.USER32 ref: 00CE8D6A
GetDlgCtrlID.USER32(00000000), ref: 00CE8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CE8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CE8ECF
GetMenuItemCount.USER32(?), ref: 00CE8EEC
GetMenuItemID.USER32(?,00000000), ref: 00CE8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CE8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CE8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CE8FA1

Strings

0, xrefs: 00CE8E9F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 9bae13bc2792d8964858f5afed8a124253b3141a32826a638a23ef5c6eec40bb
Instruction ID: f2cb753533d349f357ae5855fb714fd671494d0be04f18731042f2b6c39d5c91
Opcode Fuzzy Hash: 9bae13bc2792d8964858f5afed8a124253b3141a32826a638a23ef5c6eec40bb
Instruction Fuzzy Hash: 4381D2715083819FD720CF16C884AAB7BE9FF88314F04091DF9A8D7291DB30DA09DBA1

Function 00CBBF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00D21990,000000FF,00000000,00000030), ref: 00CBBFAC
SetMenuItemInfoW.USER32(00D21990,00000004,00000000,00000030), ref: 00CBBFE1
Sleep.KERNEL32(000001F4), ref: 00CBBFF3
GetMenuItemCount.USER32(?), ref: 00CBC039
GetMenuItemID.USER32(?,00000000), ref: 00CBC056
GetMenuItemID.USER32(?,-00000001), ref: 00CBC082
GetMenuItemID.USER32(?,?), ref: 00CBC0C9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CBC10F
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CBC124
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CBC145

Strings

0, xrefs: 00CBBF3D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 843614d6b6155b4e48304de447545656bc06ffb6ca3e2beafff30973e81b6057
Instruction ID: 936d5fc19fc16d96b7439274aff40c090e9ed359fe4f6f326c59ad9b3869da55
Opcode Fuzzy Hash: 843614d6b6155b4e48304de447545656bc06ffb6ca3e2beafff30973e81b6057
Instruction Fuzzy Hash: D9618DB090028AAFDF21DFA8DDC8AFE7BB8EB05344F004055E861A7291C775AE45DB61

Function 00CBDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CBDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CBDC46
_wcslen.LIBCMT ref: 00CBDC50
_wcsstr.LIBVCRUNTIME ref: 00CBDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CBDCBC

Strings

04090000, xrefs: 00CBDCF2
DefaultLangCodepage, xrefs: 00CBDD1F
\VarFileInfo\Translation, xrefs: 00CBDCB4
%u.%u.%u.%u, xrefs: 00CBDD9A
StringFileInfo\, xrefs: 00CBDC8F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: f5e9df9ec7e00c92dd636e85898de7be54ae0f80f218b883efe830936788bf20
Instruction ID: 6fb22126fe3da192324d344468bab3d335f807c2d892a42fc8c46cc3a32014d5
Opcode Fuzzy Hash: f5e9df9ec7e00c92dd636e85898de7be54ae0f80f218b883efe830936788bf20
Instruction Fuzzy Hash: FC412432A402007BDB14AB75EC87EFF3B6CEF45710F10406AF905A6182FB75DA02A6B5

Function 00CDCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CDCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CDCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CDCD48

Part of subcall function 00CDCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CDCCAA
Part of subcall function 00CDCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CDCCBD
Part of subcall function 00CDCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CDCCCF
Part of subcall function 00CDCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CDCD05
Part of subcall function 00CDCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CDCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00CDCCF3

Strings

RegDeleteKeyExW, xrefs: 00CDCCC9
advapi32.dll, xrefs: 00CDCCB8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 5971b1a758da99e23d1fb87781b2c8fed095bdeb4be8819b347dc6c313301257
Instruction ID: f0a6d2827c8657d0d828e8bb2789ccfd2703ab8c26e4bc909acd5c0535bdc29f
Opcode Fuzzy Hash: 5971b1a758da99e23d1fb87781b2c8fed095bdeb4be8819b347dc6c313301257
Instruction Fuzzy Hash: 15315E72901129BBDB209B55DCC8FFFBB7CEF45750F000166FA16E6250DA349B46DAA0

Function 00CC3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CC3D40
_wcslen.LIBCMT ref: 00CC3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CC3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CC3DBE
RemoveDirectoryW.KERNEL32(?), ref: 00CC3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CC3E55
CloseHandle.KERNEL32(00000000), ref: 00CC3E60
CloseHandle.KERNEL32(00000000), ref: 00CC3E6B

Strings

\, xrefs: 00CC3D77
:, xrefs: 00CC3D82
\??\%s, xrefs: 00CC3D5B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: d1844e10883f2a4b25ee7cacbfdbe4c5fb0c56495e8152836dac93dfe79343d1
Instruction ID: 5a934f9cca02c4bb0a0cd1da22e1093f658a73f1384f943d57491487f1df4a32
Opcode Fuzzy Hash: d1844e10883f2a4b25ee7cacbfdbe4c5fb0c56495e8152836dac93dfe79343d1
Instruction Fuzzy Hash: 20318571910249ABDB21DBA0EC89FEF37BCEF89710F1081A9F619D6060EB7497458B24

Function 00CBE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00CBE6B4

Part of subcall function 00C6E551: timeGetTime.WINMM(?,?,00CBE6D4), ref: 00C6E555

Sleep.KERNEL32(0000000A), ref: 00CBE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00CBE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CBE727
SetActiveWindow.USER32 ref: 00CBE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CBE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00CBE773
Sleep.KERNEL32(000000FA), ref: 00CBE77E
IsWindow.USER32 ref: 00CBE78A
EndDialog.USER32(00000000), ref: 00CBE79B

Strings

BUTTON, xrefs: 00CBE719

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 53b547dbee26229cdb6dfed2ef541e222674f2d57f15569c257252bfadc47d87
Instruction ID: 74a4d6bdec6b1c0ead7a0fb04747e32daa9517a60e6e2ba216b8893619786873
Opcode Fuzzy Hash: 53b547dbee26229cdb6dfed2ef541e222674f2d57f15569c257252bfadc47d87
Instruction Fuzzy Hash: 7A218471200384BFEB205F60ECCABBA3B69FB65B49F105425F815E53A1DB71AC069A34

Function 00CBE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CBEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CBEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CBEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CBEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CBEAA7

Strings

status PlayMe mode, xrefs: 00CBEA58
play PlayMe, xrefs: 00CBEAA2
alias PlayMe, xrefs: 00CBEA36
open , xrefs: 00CBEA0C
close PlayMe, xrefs: 00CBEA6E, 00CBEA9B
play PlayMe wait, xrefs: 00CBEA91

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 7ffc0d8ed631fee0b49ff2b2b1810ba3f2de80ae88664dfb44caa767b7a9a094
Instruction ID: c5ac012296fe5a8b9f60fb953fcc9871f7eb06ad6f61c892aca4d43d0c7f2794
Opcode Fuzzy Hash: 7ffc0d8ed631fee0b49ff2b2b1810ba3f2de80ae88664dfb44caa767b7a9a094
Instruction Fuzzy Hash: 9C118A356902697ED710A7A1EC4ADFF6E7CEFD1F40F4004297811A20D1DE705E89D9B0

Function 00CB9F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CBA012
SetKeyboardState.USER32(?), ref: 00CBA07D
GetAsyncKeyState.USER32(000000A0), ref: 00CBA09D
GetKeyState.USER32(000000A0), ref: 00CBA0B4
GetAsyncKeyState.USER32(000000A1), ref: 00CBA0E3
GetKeyState.USER32(000000A1), ref: 00CBA0F4
GetAsyncKeyState.USER32(00000011), ref: 00CBA120
GetKeyState.USER32(00000011), ref: 00CBA12E
GetAsyncKeyState.USER32(00000012), ref: 00CBA157
GetKeyState.USER32(00000012), ref: 00CBA165
GetAsyncKeyState.USER32(0000005B), ref: 00CBA18E
GetKeyState.USER32(0000005B), ref: 00CBA19C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 992ce6428085acce397d34beb969ef15b39c3c92f844410ebb8be8e50bea86c7
Instruction ID: cc25ff2cb0b9ba743074a8f545f23c533581c7febedffd9ba622528787fec8a8
Opcode Fuzzy Hash: 992ce6428085acce397d34beb969ef15b39c3c92f844410ebb8be8e50bea86c7
Instruction Fuzzy Hash: 8E51E8309047986AFB35EBA488517EEBFB49F12380F088599D5D25B1C2DA64AF4CC763

Function 00CB5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00CB5CE2
GetWindowRect.USER32(00000000,?), ref: 00CB5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CB5D59
GetDlgItem.USER32(?,00000002), ref: 00CB5D69
GetWindowRect.USER32(00000000,?), ref: 00CB5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CB5DCF
GetDlgItem.USER32(?,000003E9), ref: 00CB5DDD
GetWindowRect.USER32(00000000,?), ref: 00CB5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CB5E31
GetDlgItem.USER32(?,000003EA), ref: 00CB5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CB5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00CB5E67

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0785bcbe68d49e98991af001c56affdb136c8c82ca6e107f8d23b3a81e1bb646
Instruction ID: 17c0dcd1beb146374a62230720db5bf96610fd95029dd73f3c54c10b1e9a1f7c
Opcode Fuzzy Hash: 0785bcbe68d49e98991af001c56affdb136c8c82ca6e107f8d23b3a81e1bb646
Instruction Fuzzy Hash: B251EDB1A00615AFDF18CF68DD89BAEBBB9FB48310F548229F915E6290D7709E05CB50

Function 00C68BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C68F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C68BE8,?,00000000,?,?,?,?,00C68BBA,00000000,?), ref: 00C68FC5

DestroyWindow.USER32(?), ref: 00C68C81
KillTimer.USER32(00000000,?,?,?,?,00C68BBA,00000000,?), ref: 00C68D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00CA6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C68BBA,00000000,?), ref: 00CA69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C68BBA,00000000,?), ref: 00CA69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C68BBA,00000000), ref: 00CA69D4
DeleteObject.GDI32(00000000), ref: 00CA69E6

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6c1e83a709551e443eac8c619d15319323fee2678fcceaa45ae18366c2a6b597
Instruction ID: cf2cffa6bf4443c4e9cc457c42efc2cb5ce698752b316172d537d47a32bd4169
Opcode Fuzzy Hash: 6c1e83a709551e443eac8c619d15319323fee2678fcceaa45ae18366c2a6b597
Instruction Fuzzy Hash: D561CE35101701EFCB318F25C9D8B2A77F1FB65316F148618E0629A6A0CB31AED6DF60

Function 00C69838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C69944: GetWindowLongW.USER32(?,000000EB), ref: 00C69952

GetSysColor.USER32(0000000F), ref: 00C69862

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: b4a2ba9c2aba82f70e22e5c8f228419df3e127812e63381df84a8a33950474ae
Instruction ID: 8cf0f9e7348d5c57551c1ae66f50306ad352df0430e52408d3107e5c57fc1eb5
Opcode Fuzzy Hash: b4a2ba9c2aba82f70e22e5c8f228419df3e127812e63381df84a8a33950474ae
Instruction Fuzzy Hash: B3417E31504680AFDB305F389CC8BBA3BA9FB4A361F144619F9B28B1E1D6319D42DB10

Function 00CB96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C9F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00CB9717
LoadStringW.USER32(00000000,?,00C9F7F8,00000001), ref: 00CB9720

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C9F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00CB9742
LoadStringW.USER32(00000000,?,00C9F7F8,00000001), ref: 00CB9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00CB9866

Strings

^ ERROR, xrefs: 00CB97FB
Line %d:, xrefs: 00CB97A0
Line %d (File "%s"):, xrefs: 00CB978F
%s (%d) : ==> %s: %s %s, xrefs: 00CB984A
Error: , xrefs: 00CB981D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 77c7c546857ff878ea5e9df98118f410ea57514212da899e8f4b5b1c482a01c3
Instruction ID: 341ea6c951c2c1d71f3b10aa622485a34ffa5c49b9a9857943392c8c66162eb3
Opcode Fuzzy Hash: 77c7c546857ff878ea5e9df98118f410ea57514212da899e8f4b5b1c482a01c3
Instruction Fuzzy Hash: EF415E72904219AACF04EBE0DD86EEE7378EF55341F500065FA05720A2EE356F8DDB65

Function 00CB06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CB07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CB07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CB07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CB0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CB082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CB0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CB083C

Strings

SOFTWARE\Classes\, xrefs: 00CB070E
\IPC$, xrefs: 00CB0784
\CLSID, xrefs: 00CB0724

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: b62fb001a41e3b0556a91f899b4530e99094a3f137601e09d7f9eb66e6eda819
Instruction ID: c56f219127f7ceecefd56bc300ce194d97bdf5db89afc2701c64d50404c7b2c3
Opcode Fuzzy Hash: b62fb001a41e3b0556a91f899b4530e99094a3f137601e09d7f9eb66e6eda819
Instruction Fuzzy Hash: CB414676C10228EBCF11EBA0DC859EEB778FF54340F144169F811A71A1EB309E49DBA0

Function 00CE3F98 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00CE403B
CreateCompatibleDC.GDI32(00000000), ref: 00CE4042
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00CE4055
SelectObject.GDI32(00000000,00000000), ref: 00CE405D
GetPixel.GDI32(00000000,00000000,00000000), ref: 00CE4068
DeleteDC.GDI32(00000000), ref: 00CE4072
GetWindowLongW.USER32(?,000000EC), ref: 00CE407C
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00CE4092
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00CE409E

Strings

static, xrefs: 00CE3FD3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a47e472ec84474ce76c7ed147df78d5b47f35a6ee861509483d7316da7c964f2
Instruction ID: 72977c947316f5854923187539fb214c8a2cae4825d12b46bf5a8da9c06becae
Opcode Fuzzy Hash: a47e472ec84474ce76c7ed147df78d5b47f35a6ee861509483d7316da7c964f2
Instruction Fuzzy Hash: 48316E32501295ABDF219FA5CC89FDE3B69FF0D320F110221FA29E61A0C775D951EB54

Function 00CD3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD3C5C
CoInitialize.OLE32(00000000), ref: 00CD3C8A
CoUninitialize.OLE32 ref: 00CD3C94
_wcslen.LIBCMT ref: 00CD3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00CD3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00CD3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CD3F0E
CoGetObject.OLE32(?,00000000,00CEFB98,?), ref: 00CD3F2D
SetErrorMode.KERNEL32(00000000), ref: 00CD3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CD3FC4
VariantClear.OLEAUT32(?), ref: 00CD3FD8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 7685bd83bcd9f248f90ece9bbcc73c9054b66c8e6471c4af3634ab0ac1361f7d
Instruction ID: f2ad595fac6045774cdc31245c984409b447507763faa59369cee7db3fa1ec40
Opcode Fuzzy Hash: 7685bd83bcd9f248f90ece9bbcc73c9054b66c8e6471c4af3634ab0ac1361f7d
Instruction Fuzzy Hash: 90C133716083459FD700DF68C88492BBBE9FF89744F10495EFA9A9B250D730EE46CB52

Function 00CC7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CC7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CC7B8F
SHGetDesktopFolder.SHELL32(?), ref: 00CC7BA3
CoCreateInstance.OLE32(00CEFD08,00000000,00000001,00D16E6C,?), ref: 00CC7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CC7C74
CoTaskMemFree.OLE32(?,?), ref: 00CC7CCC
SHBrowseForFolderW.SHELL32(?), ref: 00CC7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CC7D7A
CoTaskMemFree.OLE32(00000000), ref: 00CC7D81
CoTaskMemFree.OLE32(00000000), ref: 00CC7DD6
CoUninitialize.OLE32 ref: 00CC7DDC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4201ec32245b72b1c84af5736042b91a7e9c5946e52353a3e65321204a80bc82
Instruction ID: 2b57a37be456059810e6d3a4e85f8f2c9456132e1ae543ce7e2c5a3226541ea6
Opcode Fuzzy Hash: 4201ec32245b72b1c84af5736042b91a7e9c5946e52353a3e65321204a80bc82
Instruction Fuzzy Hash: 30C1FC75A04105AFCB14DFA4C894EAEBBB9FF48314B148599E8169B261D730EE85CF90

Function 00CE541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CE5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CE5515
CharNextW.USER32(00000158), ref: 00CE5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CE5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CE559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CE55AC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: a711e5a5782e704d57ab884d29427a2ec9bef3a6e4a5865b51c4f12816b78aa7
Instruction ID: ea7c8b4b805dd2b1b1035f3b9d424f7f5bc654908b52b3a2f05eed88b443ad3a
Opcode Fuzzy Hash: a711e5a5782e704d57ab884d29427a2ec9bef3a6e4a5865b51c4f12816b78aa7
Instruction Fuzzy Hash: 8B619075900689EFDF108F96CCC4AFE7BB9EB05728F104145F925AB291D7748A82DB60

Function 00CAFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CAFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00CAFB08
VariantInit.OLEAUT32(?), ref: 00CAFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00CAFB3A
VariantCopy.OLEAUT32(?,?), ref: 00CAFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00CAFBA1
VariantClear.OLEAUT32(?), ref: 00CAFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00CAFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CAFBCC
VariantClear.OLEAUT32(?), ref: 00CAFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CAFBE9

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 40ffa3586021ea39b7f2fbe05524994889e7f74530c9ec531da9335042dab555
Instruction ID: 5f008a42d277375fafb12a129e5505bce6e1551ed0350bbb4f4fa11dd59677cf
Opcode Fuzzy Hash: 40ffa3586021ea39b7f2fbe05524994889e7f74530c9ec531da9335042dab555
Instruction Fuzzy Hash: B2412235A0021A9FCB00DFA4D8D4EBDBBB9FF49354F008069F955AB261D734A946DFA0

Function 00CB9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00CB9CA1
GetAsyncKeyState.USER32(000000A0), ref: 00CB9D22
GetKeyState.USER32(000000A0), ref: 00CB9D3D
GetAsyncKeyState.USER32(000000A1), ref: 00CB9D57
GetKeyState.USER32(000000A1), ref: 00CB9D6C
GetAsyncKeyState.USER32(00000011), ref: 00CB9D84
GetKeyState.USER32(00000011), ref: 00CB9D96
GetAsyncKeyState.USER32(00000012), ref: 00CB9DAE
GetKeyState.USER32(00000012), ref: 00CB9DC0
GetAsyncKeyState.USER32(0000005B), ref: 00CB9DD8
GetKeyState.USER32(0000005B), ref: 00CB9DEA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c46fc536cd47ffe24ddfbaeb6c269fc41a9360b509dbbae44ef3833bab1800a2
Instruction ID: b9a192fd1c73e7c4b38867ab2569e2fce610b993502190aad507f3a0e0434b7a
Opcode Fuzzy Hash: c46fc536cd47ffe24ddfbaeb6c269fc41a9360b509dbbae44ef3833bab1800a2
Instruction Fuzzy Hash: 3041D6345047C969FF31877588453F5BEA0EF11344F44805ADBD65A5C2DBB4ABC8CBA2

Function 00CD055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CD05BC
inet_addr.WSOCK32(?), ref: 00CD061C
gethostbyname.WSOCK32(?), ref: 00CD0628
IcmpCreateFile.IPHLPAPI ref: 00CD0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CD06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CD06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00CD07B9
WSACleanup.WSOCK32 ref: 00CD07BF

Strings

Ping, xrefs: 00CD0676

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: d317893fe28eeaa441c5d5610df73dd1cc087d89a7678aacfa00296bcbd6d391
Instruction ID: c13c3f1b3b5e8fdc70a56999972e852f6dd50cc22a23d7c82ff9c11d3ed4dd48
Opcode Fuzzy Hash: d317893fe28eeaa441c5d5610df73dd1cc087d89a7678aacfa00296bcbd6d391
Instruction Fuzzy Hash: 3D916D356042419FD320DF19D489F1ABBE0AF44318F2585AAF9698F7A2D730ED86CF91

Function 00CD8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00CD8CF3

Part of subcall function 00CB8E54: _wcslen.LIBCMT ref: 00CB8E77

_wcslen.LIBCMT ref: 00CD8D4E
_wcslen.LIBCMT ref: 00CD8D9C
_wcslen.LIBCMT ref: 00CD8DDC
_wcslen.LIBCMT ref: 00CD8E6E

Strings

winapi, xrefs: 00CD8D96, 00CD8D9B
stdcall, xrefs: 00CD8DD6, 00CD8DDB
none, xrefs: 00CD8E65, 00CD8E6A
cdecl, xrefs: 00CD8D48, 00CD8D4D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 0477e9bcf0712eec47ef770dafa96dc7cda23653b8101416606cb2c808aa787b
Instruction ID: ace5e5462b5dec1fbb78a928833c923a562e7218fe2123a54ae0bd4e602fb0bd
Opcode Fuzzy Hash: 0477e9bcf0712eec47ef770dafa96dc7cda23653b8101416606cb2c808aa787b
Instruction Fuzzy Hash: 9351B435A001169BCF14DF68C9409BEB7A6BF65710B20422AEA26E77C5DF30DE48DB90

Function 00CD372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00CD3774
CoUninitialize.OLE32 ref: 00CD377F
CoCreateInstance.OLE32(?,00000000,00000017,00CEFB78,?), ref: 00CD37D9
IIDFromString.OLE32(?,?), ref: 00CD384C
VariantInit.OLEAUT32(?), ref: 00CD38E4
VariantClear.OLEAUT32(?), ref: 00CD3936

Strings

NULL Pointer assignment, xrefs: 00CD381E
Invalid parameter, xrefs: 00CD3865
Failed to create object, xrefs: 00CD37E4, 00CD389A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: c64be80b08d2ddaa7b8d64472dc673af0bcb9c0cab67d96b49b1c35c9b1dd12d
Instruction ID: 7eb973f62c9f75fbf224eba16923f1505c58f741c09c76a25002fc6449dfc3a8
Opcode Fuzzy Hash: c64be80b08d2ddaa7b8d64472dc673af0bcb9c0cab67d96b49b1c35c9b1dd12d
Instruction Fuzzy Hash: 4F61BD70608341AFD310DF54D888B6AB7E8EF48710F10080AFA959B391D770EE89DB97

Function 00CC3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00CC33CF

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00CC33F0

Strings

Incorrect parameters to object property !, xrefs: 00CC34AB
Line %d (File "%s"):, xrefs: 00CC3443, 00CC345C
^ ERROR , xrefs: 00CC349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00CC3504
Error: , xrefs: 00CC34D1
"%s" (%d) : ==> %s:, xrefs: 00CC3522

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9e77f84b57ab5c8105bad0845922d8cefccc08d44dcf12b42c4fc9f4a703f503
Instruction ID: e552a321530505d0c9612771a69fa1a74912dd76f7caa31602164ccf25f5aec8
Opcode Fuzzy Hash: 9e77f84b57ab5c8105bad0845922d8cefccc08d44dcf12b42c4fc9f4a703f503
Instruction Fuzzy Hash: F5518F72900249BADF14EBE0DD42EEEB779EF14341F108165F905720A2EB316F99EB64

Function 00CBB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CBB5FC
_wcslen.LIBCMT ref: 00CBB608
_wcslen.LIBCMT ref: 00CBB64D
_wcslen.LIBCMT ref: 00CBB68C
_wcslen.LIBCMT ref: 00CBB6C7

Strings

APPEND, xrefs: 00CBB6C1, 00CBB6C6
KEYS, xrefs: 00CBB647, 00CBB64C
EXISTS, xrefs: 00CBB686, 00CBB68B
REMOVE, xrefs: 00CBB602, 00CBB607

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: f40eda9fbccae6207f2f6f38624ea6a11e66fb558ab09ad0194efbee4539d14a
Instruction ID: 822c672389688c7db01431179df51eed720253d9782d4ac2b65c5c0fbf7e46da
Opcode Fuzzy Hash: f40eda9fbccae6207f2f6f38624ea6a11e66fb558ab09ad0194efbee4539d14a
Instruction Fuzzy Hash: 1341A432A001269BCB245F7D89915FEB7B5AFA0754F244229F535DB284EB71CE81C7A0

Function 00CC5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CC53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00CC5416
GetLastError.KERNEL32 ref: 00CC5420
SetErrorMode.KERNEL32(00000000,READY), ref: 00CC54A7

Strings

READONLY, xrefs: 00CC5452
NOTREADY, xrefs: 00CC544B
INVALID, xrefs: 00CC5459
UNKNOWN, xrefs: 00CC5444
READY, xrefs: 00CC5460, 00CC5468

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6d0e7eda19422f6bcb9d1ce2c2ee7f6e130fe4922a2871633741ba11a670ee32
Instruction ID: cf298d120f9d51ec154b2aecdf32988954f5b1a419d29d6c0bd29561b8e1454d
Opcode Fuzzy Hash: 6d0e7eda19422f6bcb9d1ce2c2ee7f6e130fe4922a2871633741ba11a670ee32
Instruction Fuzzy Hash: CF318075A005049FC718DF68D884FEA7BB4EF45305F148069E815DB292DB71EEC6CBA0

Function 00CE3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CE3C79
SetMenu.USER32(?,00000000), ref: 00CE3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE3D10
IsMenu.USER32(?), ref: 00CE3D24
CreatePopupMenu.USER32 ref: 00CE3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CE3D5B
DrawMenuBar.USER32 ref: 00CE3D63

Strings

F, xrefs: 00CE3D4E
0, xrefs: 00CE3C54

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b9479a37fc6be74bb2a7fd22c4401301894a5184551ba89e0a3f2dccc9632773
Instruction ID: 66f23273704747c7332b620313de2373efc1975b46eca198eb5595d500dadfc8
Opcode Fuzzy Hash: b9479a37fc6be74bb2a7fd22c4401301894a5184551ba89e0a3f2dccc9632773
Instruction Fuzzy Hash: 51418C79A01389AFDB14CF65D888BAA77B5FF49340F140028E9169B360D730AA11DF94

Function 00CB1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00CB1F64
GetDlgCtrlID.USER32 ref: 00CB1F6F
GetParent.USER32 ref: 00CB1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB1F8E
GetDlgCtrlID.USER32(?), ref: 00CB1F97
GetParent.USER32(?), ref: 00CB1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB1FAE

Strings

ListBox, xrefs: 00CB1F21
ComboBox, xrefs: 00CB1EEC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 045555eb6b56af6a021ac0b42c37ea8a54e9ebeb297da54b132d9bb1306456de
Instruction ID: 48ead791d59e76b8152d1bee2914fdab74cd85564b02117ee445671310c866f7
Opcode Fuzzy Hash: 045555eb6b56af6a021ac0b42c37ea8a54e9ebeb297da54b132d9bb1306456de
Instruction Fuzzy Hash: 1221BE74A00214BBCF04AFE0DC95AFEBBB9EF0A350F500155BD61A72A1CB385A49DB60

Function 00CB1FC0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00CB2043
GetDlgCtrlID.USER32 ref: 00CB204E
GetParent.USER32 ref: 00CB206A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB206D
GetDlgCtrlID.USER32(?), ref: 00CB2076
GetParent.USER32(?), ref: 00CB208A
SendMessageW.USER32(00000000,?,00000111,?), ref: 00CB208D

Strings

ListBox, xrefs: 00CB2002
ComboBox, xrefs: 00CB1FCD

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8e2f3071c9cc7429cc07af7e69fc367d0801c5ca226435c434fc877d77ad7a9e
Instruction ID: bf2d021ee73d89f608ae8bac8765c2890b2bc66cfd69bc6be9f2cae09e2c41ef
Opcode Fuzzy Hash: 8e2f3071c9cc7429cc07af7e69fc367d0801c5ca226435c434fc877d77ad7a9e
Instruction Fuzzy Hash: 0D21D175A00218BBCF10AFA4DCC5FEFBBB8EF09340F100445B961A71A1CA795959EB60

Function 00CE3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CE3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CE3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CE3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CE3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CE3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CE3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CE3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CE3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CE3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CE3C13

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: e5285b687f7afee28956460c0213fb0da930491636d3f2d1197cb002352f91df
Instruction ID: 7bbd56bfce361af5a5a9232a83106498df530ffe022ff26b08ca2d910ad4fae0
Opcode Fuzzy Hash: e5285b687f7afee28956460c0213fb0da930491636d3f2d1197cb002352f91df
Instruction Fuzzy Hash: 29616D75900288AFDB10DF64CC85EEE77B8EB09700F104199FA15E7291C770AE85DF60

Function 00CBB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CBB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB165
GetWindowThreadProcessId.USER32(00000000), ref: 00CBB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CBB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00CBA1E1,?,00000001), ref: 00CBB21D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0b6735a2a866ed9b4c2bc3de8b5d538f4222040aafe8c00d1cc4a4bf6538398f
Instruction ID: f4ce211b9db1af30eae807ffe5380c2016ac2ac25e25b828627d19bda8478b6f
Opcode Fuzzy Hash: 0b6735a2a866ed9b4c2bc3de8b5d538f4222040aafe8c00d1cc4a4bf6538398f
Instruction Fuzzy Hash: F8316B75640304BFDB209F64DD88FAE7BA9BB61311F104019FA25DA290D7B89E428F71

Function 00C82C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C82C94

Part of subcall function 00C829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000), ref: 00C829DE
Part of subcall function 00C829C8: GetLastError.KERNEL32(00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000,00000000), ref: 00C829F0

_free.LIBCMT ref: 00C82CA0
_free.LIBCMT ref: 00C82CAB
_free.LIBCMT ref: 00C82CB6
_free.LIBCMT ref: 00C82CC1
_free.LIBCMT ref: 00C82CCC
_free.LIBCMT ref: 00C82CD7
_free.LIBCMT ref: 00C82CE2
_free.LIBCMT ref: 00C82CED
_free.LIBCMT ref: 00C82CFB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a228d76a960f4b9d5cd105231a75ea2c6f3aea5582c6ba92a892a30278db45ea
Instruction ID: c532d0f5b64e0e83420b2fbc568ae8a63bbefd49de358d5d3bdb0eb209c44abb
Opcode Fuzzy Hash: a228d76a960f4b9d5cd105231a75ea2c6f3aea5582c6ba92a892a30278db45ea
Instruction Fuzzy Hash: 2311B376100108BFCB02FF94D886CDD3BA9FF05354F8244A5FA489F222DA35EE50AB94

Function 00CC7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CC7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC7FC1
GetFileAttributesW.KERNEL32(?), ref: 00CC7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00CC8005
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8017
SetCurrentDirectoryW.KERNEL32(?), ref: 00CC8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CC80B0

Strings

*.*, xrefs: 00CC8066

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: ed64b5ba3b6c1bb636c7a8fedc08b816fe3018961f3720ca05ffc4a875ae8004
Instruction ID: d2f62192f64c3c3a2660c23e83bf02018ba298c5231db568c352ceff286448ce
Opcode Fuzzy Hash: ed64b5ba3b6c1bb636c7a8fedc08b816fe3018961f3720ca05ffc4a875ae8004
Instruction Fuzzy Hash: E3818D725082419FCB24EF55C884EAAB3E8FB89310F14495EF895D7250EB34EE899B52

Function 00C55BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C55C7A

Part of subcall function 00C55D0A: GetClientRect.USER32(?,?), ref: 00C55D30
Part of subcall function 00C55D0A: GetWindowRect.USER32(?,?), ref: 00C55D71
Part of subcall function 00C55D0A: ScreenToClient.USER32(?,?), ref: 00C55D99

GetDC.USER32 ref: 00C946F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C94708
SelectObject.GDI32(00000000,00000000), ref: 00C94716
SelectObject.GDI32(00000000,00000000), ref: 00C9472B
ReleaseDC.USER32(?,00000000), ref: 00C94733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C947C4

Strings

U, xrefs: 00C94693

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0a8492812c082e9b3befd2f1e14f4c2a61248cbf4ec79c9d84658fe346930fdb
Instruction ID: 488d4a60ef572b54d6b066f1bf5520f695b5a0271c5e98efb0e4d1fb2e7df361
Opcode Fuzzy Hash: 0a8492812c082e9b3befd2f1e14f4c2a61248cbf4ec79c9d84658fe346930fdb
Instruction Fuzzy Hash: CF71F434400209DFCF298FA4C988EBA7BB5FF4A351F144269FD619A266C3309D82DF60

Function 00CC359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00CC35E4

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

LoadStringW.USER32(00D22390,?,00000FFF,?), ref: 00CC360A

Strings

^ ERROR, xrefs: 00CC36C9
Line %d (File "%s"):, xrefs: 00CC366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00CC3724
Error: , xrefs: 00CC36EF
"%s" (%d) : ==> %s:, xrefs: 00CC3742

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c6d875c7444e0b24a7f396ca14b17508e79e3056581a6ede7448031e416debad
Instruction ID: 5f540977987b5dab87b80a33325f6b9ab0ba88c83450ff731213610ad4af7c14
Opcode Fuzzy Hash: c6d875c7444e0b24a7f396ca14b17508e79e3056581a6ede7448031e416debad
Instruction Fuzzy Hash: CE519F76900249BBCF14EBA0DC82EEDBB39EF14341F044169F505721A2EB306BC9EB64

Function 00CE8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

Part of subcall function 00C6912D: GetCursorPos.USER32(?), ref: 00C69141
Part of subcall function 00C6912D: ScreenToClient.USER32(00000000,?), ref: 00C6915E
Part of subcall function 00C6912D: GetAsyncKeyState.USER32(00000001), ref: 00C69183
Part of subcall function 00C6912D: GetAsyncKeyState.USER32(00000002), ref: 00C6919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CE8B6B
ImageList_EndDrag.COMCTL32 ref: 00CE8B71
ReleaseCapture.USER32 ref: 00CE8B77
SetWindowTextW.USER32(?,00000000), ref: 00CE8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CE8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CE8CFF

Strings

@GUI_DROPID, xrefs: 00CE8C51
@GUI_DRAGFILE, xrefs: 00CE8C9A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 3f4d98fdf74522f146aa14d28dee40964c589a47d161895d815d24b32f8e3dd5
Instruction ID: 14e59ed36ff1a83224b39039e87b8acaf14ab8ea5784424c39ddb4f5ff5c0cf9
Opcode Fuzzy Hash: 3f4d98fdf74522f146aa14d28dee40964c589a47d161895d815d24b32f8e3dd5
Instruction Fuzzy Hash: A351CB34104340AFD710DF24DC96BAE77E4FB98714F10062DF966A72E1CB30AA49DB62

Function 00CCC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CCC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CCC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CCC2CA
GetLastError.KERNEL32 ref: 00CCC322
SetEvent.KERNEL32(?), ref: 00CCC336
InternetCloseHandle.WININET(00000000), ref: 00CCC341

Strings

, xrefs: 00CCC2BB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 13779b1179fe7e924b3ddf15a1c7885dbbbac3a094711615012ba97c0d55480a
Instruction ID: f2544da2956f33be46e6cd4c449ba5778d77dc0efbfffce0166932f8f56386b8
Opcode Fuzzy Hash: 13779b1179fe7e924b3ddf15a1c7885dbbbac3a094711615012ba97c0d55480a
Instruction Fuzzy Hash: 3031ABB1600248AFD7219FA5D8C8FAB7BFCEB49740B08851EF45AD6210DB30DE069B60

Function 00CB989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C93AAF,?,?,Bad directive syntax error,00CECC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00CB98BC
LoadStringW.USER32(00000000,?,00C93AAF,?), ref: 00CB98C3

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CB9987

Strings

Line %d:, xrefs: 00CB9912
Line %d (File "%s"):, xrefs: 00CB992D
., xrefs: 00CB996D
Error: , xrefs: 00CB9955
%s (%d) : ==> %s.: %s %s, xrefs: 00CB98F1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: dea140a7e2f66ac00fadd1cc78ad3927016bc628a20d58033d5472488ad05ad4
Instruction ID: 313500a9fd904f933754046379933f2429f581d451c40bffbdc8433b76111b58
Opcode Fuzzy Hash: dea140a7e2f66ac00fadd1cc78ad3927016bc628a20d58033d5472488ad05ad4
Instruction Fuzzy Hash: 82216F31D4425EFBCF11AF90DC46EEE7735FF14301F044469F915650A2EA719698EB21

Function 00CB209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00CB20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00CB20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CB214D

Strings

list, xrefs: 00CB212F
details, xrefs: 00CB20FB
largeicons, xrefs: 00CB20E1
SHELLDLL_DefView, xrefs: 00CB20CC
smallicons, xrefs: 00CB2115

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5f410f99267d6d90a188b13beb3d60f301c4e9fe64a12da4d6c9e56f603d3a6d
Instruction ID: d9adc7fc13d26ee368b9b34394acdb5c989e77951c99c7165746767034301814
Opcode Fuzzy Hash: 5f410f99267d6d90a188b13beb3d60f301c4e9fe64a12da4d6c9e56f603d3a6d
Instruction Fuzzy Hash: CF112976688707B9FA052224FC07EEF379CCB55324F204016FB09E50D5FF696D466A24

Function 00C88D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c4789fd93007c06396fde2a45aba90b8de5e8793f9fb0b37493bf0029f9098d
Instruction ID: f9fb057b50164e59f5dff95655d1048d4931a4459b0bb769ce39f4af6a7ffb49
Opcode Fuzzy Hash: 5c4789fd93007c06396fde2a45aba90b8de5e8793f9fb0b37493bf0029f9098d
Instruction Fuzzy Hash: ECC1E474904349AFCB11EFA8C881BBDBBB0EF1D318F184159E525A7392C7349A42DB69

Function 00C8CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C8CEB7
_free.LIBCMT ref: 00C8CF22
_free.LIBCMT ref: 00C8CF48
_free.LIBCMT ref: 00C8CF71
_free.LIBCMT ref: 00C8CFA9
_free.LIBCMT ref: 00C8CFDA
_free.LIBCMT ref: 00C8D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C8D09C
_free.LIBCMT ref: 00C8D0B5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0056d1ade4a6df543403c4e22101cda1d30a8f4c631be144f5354fe445d45f78
Instruction ID: 54d97965a63fcab9a6db41f8684e2cb0b87f3f40ea108714c4e399ce96e15da6
Opcode Fuzzy Hash: 0056d1ade4a6df543403c4e22101cda1d30a8f4c631be144f5354fe445d45f78
Instruction Fuzzy Hash: B6615671904300AFEF21BFF498C5A6A7BA5EF01328F15416EFA55D7282D7319E029778

Function 00C68B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CA6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CA68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CA68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CA68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CA68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C68874,00000000,00000000,00000000,000000FF,00000000), ref: 00CA6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CA691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C68874,00000000,00000000,00000000,000000FF,00000000), ref: 00CA692D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: fa354490e6864fa1f325ccddb27b91c21e2a6d01c559b62511101effa0f96475
Instruction ID: 4d09c842447022dd38ba4269f0733c07c945dfb97e6ced0f8ff14c47bccfde90
Opcode Fuzzy Hash: fa354490e6864fa1f325ccddb27b91c21e2a6d01c559b62511101effa0f96475
Instruction Fuzzy Hash: 5151A970600309EFDB20CF25CC95FAA7BB9FB98754F144618F922972A0DB70EA81DB50

Function 00CCC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CCC182
GetLastError.KERNEL32 ref: 00CCC195
SetEvent.KERNEL32(?), ref: 00CCC1A9

Part of subcall function 00CCC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CCC272
Part of subcall function 00CCC253: GetLastError.KERNEL32 ref: 00CCC322
Part of subcall function 00CCC253: SetEvent.KERNEL32(?), ref: 00CCC336
Part of subcall function 00CCC253: InternetCloseHandle.WININET(00000000), ref: 00CCC341

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cf844fa6fa2bd7141ef300c2514f4c88d537270a7210ee8c77d84f7636615077
Instruction ID: 5d2c4ac249035009b8bed77491764e93ae6e28c3b0b5ba9f002f0927da18ef3c
Opcode Fuzzy Hash: cf844fa6fa2bd7141ef300c2514f4c88d537270a7210ee8c77d84f7636615077
Instruction Fuzzy Hash: 0D319E71600745AFDB219FA6DCC4F6ABBF9FF18300B04441DF96A86620D730E915EBA0

Function 00CB25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB3A57
Part of subcall function 00CB3A3D: GetCurrentThreadId.KERNEL32 ref: 00CB3A5E
Part of subcall function 00CB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CB25B3), ref: 00CB3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CB25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CB25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CB2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CB2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00CB260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CB2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CB2627

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a9dc2a12e8e8ec593d14be3ef12a5db90973f3ed8abad9a6548ef4aab2470e99
Instruction ID: 9c46eb63da2ae87e4b4fd92b4233cf974cc2fad13a6f01ca2c45f1088f9afb3e
Opcode Fuzzy Hash: a9dc2a12e8e8ec593d14be3ef12a5db90973f3ed8abad9a6548ef4aab2470e99
Instruction Fuzzy Hash: 0B01D430390750BBFB2067699CCAF9E3F59DB4EB12F100011F318AE0D1C9E224459A69

Function 00CB1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CB1449,?,?,00000000), ref: 00CB180C
HeapAlloc.KERNEL32(00000000,?,00CB1449,?,?,00000000), ref: 00CB1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CB1449,?,?,00000000), ref: 00CB1828
GetCurrentProcess.KERNEL32(?,00000000,?,00CB1449,?,?,00000000), ref: 00CB1830
DuplicateHandle.KERNEL32(00000000,?,00CB1449,?,?,00000000), ref: 00CB1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CB1449,?,?,00000000), ref: 00CB1843
GetCurrentProcess.KERNEL32(00CB1449,00000000,?,00CB1449,?,?,00000000), ref: 00CB184B
DuplicateHandle.KERNEL32(00000000,?,00CB1449,?,?,00000000), ref: 00CB184E
CreateThread.KERNEL32(00000000,00000000,00CB1874,00000000,00000000,00000000), ref: 00CB1868

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 92f2c13f9f0fbfc40abb6c085baee7d55924770f4087faf17393ce17334be9cb
Instruction ID: a1cb364643153d8d9c2f6e21269cc53a988f799557e238fabf96fac86b9a758a
Opcode Fuzzy Hash: 92f2c13f9f0fbfc40abb6c085baee7d55924770f4087faf17393ce17334be9cb
Instruction Fuzzy Hash: F701A8B5240348BFE610ABA5DCC9F6F3BACEB89B11F414411FA05DB1A1CA7198118B20

Function 00CDA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00CBD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00CBD501
Part of subcall function 00CBD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00CBD50F
Part of subcall function 00CBD4DC: CloseHandle.KERNELBASE(00000000), ref: 00CBD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CDA16D
GetLastError.KERNEL32 ref: 00CDA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CDA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00CDA268
GetLastError.KERNEL32(00000000), ref: 00CDA273
CloseHandle.KERNEL32(00000000), ref: 00CDA2C4

Strings

SeDebugPrivilege, xrefs: 00CDA18F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 6d4067db677b3b92c716ee2be79adee88909445cc44333e8a52e1578fa11b52a
Instruction ID: cfe28505f8cbf852c2bd2e74ea85bc9546d2beace38953e860d11f9f7d1782bd
Opcode Fuzzy Hash: 6d4067db677b3b92c716ee2be79adee88909445cc44333e8a52e1578fa11b52a
Instruction Fuzzy Hash: AB619F342042429FD710DF19C4D4F19BBE1AF44318F58849DE96A8B7A3C772ED89CB92

Function 00CE3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CE3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CE393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CE3954
_wcslen.LIBCMT ref: 00CE3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CE39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CE39F4

Strings

SysListView32, xrefs: 00CE38F7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 37e87792397743db4ca493b5b2dddc0d72f68e2f06ea9d81f6f2331a90e2fe13
Instruction ID: 5f7a541ad29634d1d79982d66d6927852e6636b21b2ed6c580aa60f1bcbf77c2
Opcode Fuzzy Hash: 37e87792397743db4ca493b5b2dddc0d72f68e2f06ea9d81f6f2331a90e2fe13
Instruction Fuzzy Hash: CD41B471A00399BBDF219F65CC89BEE77A9EF18350F100526F958E7281D771AE84CB90

Function 00CBBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CBBCFD
IsMenu.USER32(00000000), ref: 00CBBD1D
CreatePopupMenu.USER32 ref: 00CBBD53
GetMenuItemCount.USER32(00DA5B50), ref: 00CBBDA4
InsertMenuItemW.USER32(00DA5B50,?,00000001,00000030), ref: 00CBBDCC

Strings

2, xrefs: 00CBBD37
0, xrefs: 00CBBCA8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: bcd8881a7bd5722e299f471c67b2cc1a53d124bc71ab6c18a956c4d9f28477ab
Instruction ID: cd9f3f5460045e2df27db808f266154e804677d9511242bd478d48c20217f979
Opcode Fuzzy Hash: bcd8881a7bd5722e299f471c67b2cc1a53d124bc71ab6c18a956c4d9f28477ab
Instruction Fuzzy Hash: 7A51AD70A04205DBDF20CFB9D8C4BEEBBF4AF55314F144219E4219B298D7B8AE41CB61

Function 00CBC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00CBC913

Strings

stop, xrefs: 00CBC8E4
info, xrefs: 00CBC8B4
warning, xrefs: 00CBC8FC
blank, xrefs: 00CBC895
question, xrefs: 00CBC8CC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: bfd22529d5ba6132473a753434a21e5ef9d85f6c728fda8db13cc8e5e6c74546
Instruction ID: 67e1b81bc0f2008990545cd589ad0b728ddf4c35a749fec07a717aa2116fdd9c
Opcode Fuzzy Hash: bfd22529d5ba6132473a753434a21e5ef9d85f6c728fda8db13cc8e5e6c74546
Instruction Fuzzy Hash: 58112732A89306BEB7049B54ACC2DEF279CDF15325F20402AF504E61C2EBA19E40A274

Function 00CBDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00CBDE42
gethostname.WSOCK32(?,00000100), ref: 00CBDE5C
gethostbyname.WSOCK32(?), ref: 00CBDE69
inet_ntoa.WSOCK32(?), ref: 00CBDEAB
_strcat.LIBCMT ref: 00CBDEB9
WSACleanup.WSOCK32 ref: 00CBDEDE

Strings

0.0.0.0, xrefs: 00CBDE87

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 7fe71d2f44f94eaaf526c2b265c825fb4b7a92c52f30033f5257daa23ca3aa5c
Instruction ID: 5825eaf00292d7f08b6038f73786594785b4029429b696ab1a3d14981980f4ae
Opcode Fuzzy Hash: 7fe71d2f44f94eaaf526c2b265c825fb4b7a92c52f30033f5257daa23ca3aa5c
Instruction Fuzzy Hash: B9112671904255AFCB34AB21DC8AFEE77BCDF11711F0001A9F55AAB091FF71CA829A60

Function 00CE9F86 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

GetSystemMetrics.USER32(0000000F), ref: 00CE9FC7
GetSystemMetrics.USER32(0000000F), ref: 00CE9FE7
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00CEA224
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00CEA242
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00CEA263
ShowWindow.USER32(00000003,00000000), ref: 00CEA282
InvalidateRect.USER32(?,00000000,00000001), ref: 00CEA2A7
DefDlgProcW.USER32(?,00000005,?,?), ref: 00CEA2CA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 3544024f4ba4f291028c2794b031f789ba4fd5569ff0751564a8b5cdcaaac982
Instruction ID: 756c2ad58ccffad20966f5a9d1cd520eae1e52bc92ece0ea573ce3c0e460d6a4
Opcode Fuzzy Hash: 3544024f4ba4f291028c2794b031f789ba4fd5569ff0751564a8b5cdcaaac982
Instruction Fuzzy Hash: 34B1B831600255EFCF14CF6AC9C57AE7BB2FF44701F088069ED59AB295D731AA40CB61

Function 00CBED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00CBED2A
_wcslen.LIBCMT ref: 00CBED3B
_wcslen.LIBCMT ref: 00CBED79
_wcslen.LIBCMT ref: 00CBEDAF
_wcslen.LIBCMT ref: 00CBEDDF
_wcslen.LIBCMT ref: 00CBEDEF
_wcslen.LIBCMT ref: 00CBEE2B
_wcslen.LIBCMT ref: 00CBEE5A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4fa5a01bd3edf47b2a902b2cab20ecd9ece0c2be27e3f099e7d12171fa2f6a80
Instruction ID: 1a641812abeccce1a841110153e2f05d2189637f4c9070184c36f809b63e7b59
Opcode Fuzzy Hash: 4fa5a01bd3edf47b2a902b2cab20ecd9ece0c2be27e3f099e7d12171fa2f6a80
Instruction Fuzzy Hash: 9741B065D1021876CB11EBF4C88AACFB7BCAF45710F50C566E618E3122FB34E646D3A6

Function 00C6F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CA682C,00000004,00000000,00000000), ref: 00C6F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CA682C,00000004,00000000,00000000), ref: 00CAF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CA682C,00000004,00000000,00000000), ref: 00CAF454

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8e015ae02629e5381992e2927ce0f3d5394d69050f0712f4a8b8b8328c5872c0
Instruction ID: e33caa7fac7f1eabb51213b1453a371af306ee0aabea00684641a28bb8c9587f
Opcode Fuzzy Hash: 8e015ae02629e5381992e2927ce0f3d5394d69050f0712f4a8b8b8328c5872c0
Instruction Fuzzy Hash: 3F412031508780BFD7398B69E8C872E7BA1AF5B318F14443CE0A757670C6719A83DB11

Function 00CE2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CE2D1B
GetDC.USER32(00000000), ref: 00CE2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CE2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CE2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CE2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CE2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CE5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CE2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CE2DE1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9960459493e79794d7bb6213a74fcbbd89553352c08f7b227a1ff53ba13fba0a
Instruction ID: fe9128b187852948c0b6852cb327f6ca6d1fee6f545f530b65c687620ad5ec32
Opcode Fuzzy Hash: 9960459493e79794d7bb6213a74fcbbd89553352c08f7b227a1ff53ba13fba0a
Instruction Fuzzy Hash: A5318972201294BFEB218F558C8AFEB3BADEB49721F044055FE089E291C6759D41CBA0

Function 00CB5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CB5637
_memcmp.LIBVCRUNTIME ref: 00CB5659
_memcmp.LIBVCRUNTIME ref: 00CB5671
_memcmp.LIBVCRUNTIME ref: 00CB5684
_memcmp.LIBVCRUNTIME ref: 00CB569E
_memcmp.LIBVCRUNTIME ref: 00CB56B1
_memcmp.LIBVCRUNTIME ref: 00CB56C9
_memcmp.LIBVCRUNTIME ref: 00CB56E4

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 618991199beb9d67ea7116e5899215ef38f314f02bbff56b6e628d163651f106
Instruction ID: 3fd0eba2611687fbba63d01700e5e192cbdf95b7140bddca3f5b50324f726e0c
Opcode Fuzzy Hash: 618991199beb9d67ea7116e5899215ef38f314f02bbff56b6e628d163651f106
Instruction Fuzzy Hash: C721EE71740A0977E21455269D82FFB335CAF20388F684034FD099B781FB60EF1192E5

Function 00CD4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00CD502E, 00CD5383
Not an Object type, xrefs: 00CD5007

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 36cbede2d455e5b9dc9daa43c4e452048b6c9ad05642fdf76d611853a4eed388
Instruction ID: 6d156ca4d3ab941b712ebaf759850fc3902eed596cb4ffc71668d0717203a49b
Opcode Fuzzy Hash: 36cbede2d455e5b9dc9daa43c4e452048b6c9ad05642fdf76d611853a4eed388
Instruction Fuzzy Hash: 6CD19275A0060A9FDF10CF98C881FAEB7B5BF48344F14806AEA25AB391D771EE45CB50

Function 00C91522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C917FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C915CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C91651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C917FB,?,00C917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C916E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C916FB

Part of subcall function 00C83820: RtlAllocateHeap.NTDLL(00000000,?,00D21444,?,00C6FDF5,?,?,00C5A976,00000010,00D21440,00C513FC,?,00C513C6,?,00C51129), ref: 00C83852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C917FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C91777
__freea.LIBCMT ref: 00C917A2
__freea.LIBCMT ref: 00C917AE

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: e7e69f7537f817a1f929e296e669532dce9e0d7630ced2ba936002404609157a
Instruction ID: 40397b08966881a5de8e144f0bc4799c6908770f3d3950257913443fa38872ed
Opcode Fuzzy Hash: e7e69f7537f817a1f929e296e669532dce9e0d7630ced2ba936002404609157a
Instruction Fuzzy Hash: 4691B172E002179ADF208EA5C88AAEE7BF5AF49710F1D4659ED11E7181DB35CE41CB60

Function 00CD4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD4648
VariantInit.OLEAUT32(?), ref: 00CD4749
VariantClear.OLEAUT32(?), ref: 00CD4753
VariantClear.OLEAUT32(?), ref: 00CD47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00CD45D8, 00CD4706, 00CD47BE
Incorrect Object type in FOR..IN loop, xrefs: 00CD472C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e187f92b188fb222681e8d440e4c1c696de9bd07a8cee8cc70aef835d778d07a
Instruction ID: 2eb7284d63dd3fa4c095aece4420644a24ff61348bfcc2ba402272f9c7b2a107
Opcode Fuzzy Hash: e187f92b188fb222681e8d440e4c1c696de9bd07a8cee8cc70aef835d778d07a
Instruction Fuzzy Hash: C291A371A00215AFDF24CFA5D884FAEBBB8EF45710F10855AF715AB280D7709A45CFA0

Function 00CC1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00CC125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CC1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00CC12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CC12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CC135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CC13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00CC1430

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 86515fd10d38a033e33b854ebd645353f3bfb60faf1f84478ea465f2fe2528c5
Instruction ID: a522197e3906ccdf8f6aaa2b71f9545e8e9ac4d7f816687df90500da4975f6e1
Opcode Fuzzy Hash: 86515fd10d38a033e33b854ebd645353f3bfb60faf1f84478ea465f2fe2528c5
Instruction Fuzzy Hash: AC91F175A002189FDB04DF96C884FBEB7B5FF46315F28402DE950EB292D774A981DB90

Function 00C6948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2ed602f017a0d494b66d762adab99937d3a027ac6d365392c6c34f81e8030268
Instruction ID: eee825ea718db64d79f719a0c7c6a4cd456a406bec44fcd56f7e8621c3a5a254
Opcode Fuzzy Hash: 2ed602f017a0d494b66d762adab99937d3a027ac6d365392c6c34f81e8030268
Instruction Fuzzy Hash: 7D912971D00219EFCB20CFA9CC84AEEBBB8FF49324F148559E516B7251D774AA42DB60

Function 00CD3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CD396B
CharUpperBuffW.USER32(?,?), ref: 00CD3A7A
_wcslen.LIBCMT ref: 00CD3A8A
VariantClear.OLEAUT32(?), ref: 00CD3C1F

Part of subcall function 00CC0CDF: VariantInit.OLEAUT32(00000000), ref: 00CC0D1F
Part of subcall function 00CC0CDF: VariantCopy.OLEAUT32(?,?), ref: 00CC0D28
Part of subcall function 00CC0CDF: VariantClear.OLEAUT32(?), ref: 00CC0D34

Strings

AUTOIT.ERROR, xrefs: 00CD3A80, 00CD3A85
Incorrect Parameter format, xrefs: 00CD39A6, 00CD3BA1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 3055f79812ddd1a0eb541205456f351bec6888834c20e4738965b42f3aaf0441
Instruction ID: ba19dbb67fed17494c8ffda486ef0ad8971b106f22270c12afd614a18603dc1b
Opcode Fuzzy Hash: 3055f79812ddd1a0eb541205456f351bec6888834c20e4738965b42f3aaf0441
Instruction Fuzzy Hash: 38918A74608341AFC704DF64C48096AB7E4FF89314F14896EF99A9B351DB30EE4ADB92

Function 00CD4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00CB000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?,?,00CB035E), ref: 00CB002B
Part of subcall function 00CB000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?), ref: 00CB0046
Part of subcall function 00CB000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?), ref: 00CB0054
Part of subcall function 00CB000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?), ref: 00CB0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CD4C51
_wcslen.LIBCMT ref: 00CD4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CD4DCF
CoTaskMemFree.OLE32(?), ref: 00CD4DDA

Strings

NULL Pointer assignment, xrefs: 00CD4E23, 00CD4E52

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 0ff12c549ba64b2fc5a118c73abc2230370b3abe8f74c7adaa24562578d6eebc
Instruction ID: 4b04d3e0f5280167563108a17747acde1946e1340f9c56ab15fcc6a215301aff
Opcode Fuzzy Hash: 0ff12c549ba64b2fc5a118c73abc2230370b3abe8f74c7adaa24562578d6eebc
Instruction Fuzzy Hash: 1D910771D00219EFDF14DFA5C891AEEB7B9BF08310F10856AEA15AB291DB309A45DF60

Function 00CE20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CE2183
GetMenuItemCount.USER32(00000000), ref: 00CE21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CE21DD
_wcslen.LIBCMT ref: 00CE2213
GetMenuItemID.USER32(?,?), ref: 00CE224D
GetSubMenu.USER32(?,?), ref: 00CE225B

Part of subcall function 00CB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB3A57
Part of subcall function 00CB3A3D: GetCurrentThreadId.KERNEL32 ref: 00CB3A5E
Part of subcall function 00CB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CB25B3), ref: 00CB3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CE22E3

Part of subcall function 00CBE97B: Sleep.KERNEL32 ref: 00CBE9F3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: a9f1f4549ae603a72ba5a64618c93d6fa30a2ceb50104380d5a48f08584444dc
Instruction ID: 633b132c8b0096fa4790b795bfb98426cc7c2c4c0652f9c9c16ef576260b86d0
Opcode Fuzzy Hash: a9f1f4549ae603a72ba5a64618c93d6fa30a2ceb50104380d5a48f08584444dc
Instruction Fuzzy Hash: F7718F75A00245AFCB10DFA6C885BAEB7F9EF48320F148459E926EB351D734EE419B90

Function 00CE7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00DA5CB8), ref: 00CE7F37
IsWindowEnabled.USER32(00DA5CB8), ref: 00CE7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00CE801E
SendMessageW.USER32(00DA5CB8,000000B0,?,?), ref: 00CE8051
IsDlgButtonChecked.USER32(?,?), ref: 00CE8089
GetWindowLongW.USER32(00DA5CB8,000000EC), ref: 00CE80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00CE80C3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5baa9140f7969e782495f17a4cef6c3046bed5a1fc655f1af2f91f5612ddc22d
Instruction ID: d530da68ea8fbc5007973d70f020aefc785b12224707602b59b4d049670ebda4
Opcode Fuzzy Hash: 5baa9140f7969e782495f17a4cef6c3046bed5a1fc655f1af2f91f5612ddc22d
Instruction Fuzzy Hash: D171D134608284AFEF24DF96CCC5FAA7BB9EF19300F104159F96597261CB31AE45DB20

Function 00CBAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00CBAEF9
GetKeyboardState.USER32(?), ref: 00CBAF0E
SetKeyboardState.USER32(?), ref: 00CBAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00CBAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00CBAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00CBAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CBB020

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bbcff6ed44428418c87e02d651f53f8b36b82a2fe29153f4ffc222613bbd9599
Instruction ID: b15cb79bf9de897a280ac27f04f1e6675679bc6a5a75e59753c431f209cbc1b3
Opcode Fuzzy Hash: bbcff6ed44428418c87e02d651f53f8b36b82a2fe29153f4ffc222613bbd9599
Instruction Fuzzy Hash: 4251C0E06046D53DFB3692748845BFBBFA95B06304F088489E1E9458C2C3E9EE88D752

Function 00CBACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00CBAD19
GetKeyboardState.USER32(?), ref: 00CBAD2E
SetKeyboardState.USER32(?), ref: 00CBAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CBADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CBADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CBAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CBAE38

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8e909057c7453aa3e6ccb06b17d1d37e9a4bc98b64d5e27ab1e6049f9001f724
Instruction ID: 3d77205334758cbb67c9378902537020993f00129854790bcab3e37fe224dbcf
Opcode Fuzzy Hash: 8e909057c7453aa3e6ccb06b17d1d37e9a4bc98b64d5e27ab1e6049f9001f724
Instruction Fuzzy Hash: F351E6A15047D53DFB378334CC95BFABEA95B46300F088588F1E54A8D2D394EE98E762

Function 00C8542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C93CD6,?,?,?,?,?,?,?,?,00C85BA3,?,?,00C93CD6,?,?), ref: 00C85470
__fassign.LIBCMT ref: 00C854EB
__fassign.LIBCMT ref: 00C85506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C93CD6,00000005,00000000,00000000), ref: 00C8552C
WriteFile.KERNEL32(?,00C93CD6,00000000,00C85BA3,00000000,?,?,?,?,?,?,?,?,?,00C85BA3,?), ref: 00C8554B
WriteFile.KERNEL32(?,?,00000001,00C85BA3,00000000,?,?,?,?,?,?,?,?,?,00C85BA3,?), ref: 00C85584

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9bb91b3e76de5a57c11cdc5a3787585f340d970bc366002e01d94fc9245d3370
Instruction ID: f0c98e8f660068a49d34ec63b8356ec2eff029fab756b93a519df6be2c65aa3b
Opcode Fuzzy Hash: 9bb91b3e76de5a57c11cdc5a3787585f340d970bc366002e01d94fc9245d3370
Instruction Fuzzy Hash: 5851E4B1A006489FDB10DFA8D881BEEBBF9EF08304F15411AF955E7291D7709A42CB64

Function 00C72D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C72D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C72D53
_ValidateLocalCookies.LIBCMT ref: 00C72DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C72E0C
_ValidateLocalCookies.LIBCMT ref: 00C72E61

Strings

csm, xrefs: 00C72DF6

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 6d5b2d509c77d914e181956bccc2a008326ae72a72f2e4a496839bd438c3a95d
Instruction ID: a950c5030af145449d3751423ac1495e053752ba9e1031b1a18682a77b987584
Opcode Fuzzy Hash: 6d5b2d509c77d914e181956bccc2a008326ae72a72f2e4a496839bd438c3a95d
Instruction Fuzzy Hash: 34419234E00209ABCF20DF69CC55A9EBBB5FF54324F14C156E828AB392D731EA45DB91

Function 00CD10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CD307A
Part of subcall function 00CD304E: _wcslen.LIBCMT ref: 00CD309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CD1112
WSAGetLastError.WSOCK32 ref: 00CD1121
WSAGetLastError.WSOCK32 ref: 00CD11C9
closesocket.WSOCK32(00000000), ref: 00CD11F9

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 3362917394190531616ea07feddc709a7b8a054742a6307c907e0deb7676f628
Instruction ID: 723c582599d5d5bb5b96dfca802f0e0671fb27a11c3eaf810c48dedf67b0a898
Opcode Fuzzy Hash: 3362917394190531616ea07feddc709a7b8a054742a6307c907e0deb7676f628
Instruction Fuzzy Hash: 2A41D435600204AFDB109F54C884BADBBE9EF45324F18815AFE159F392C770EE85CBA1

Function 00CBCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CBCF22,?), ref: 00CBDDFD

Part of subcall function 00CBDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CBCF22,?), ref: 00CBDE16

lstrcmpiW.KERNEL32(?,?), ref: 00CBCF45
MoveFileW.KERNEL32(?,?), ref: 00CBCF7F
_wcslen.LIBCMT ref: 00CBD005
_wcslen.LIBCMT ref: 00CBD01B
SHFileOperationW.SHELL32(?), ref: 00CBD061

Strings

\*.*, xrefs: 00CBCFF3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: ac228faf3f367cb370fa161a7a49d34f5e8af0d6717f96da91a7de4451c1055e
Instruction ID: 61da9f1205c087af30122ad5eea665803c5c6f1833c1b9b8e5955fe14a5dfc54
Opcode Fuzzy Hash: ac228faf3f367cb370fa161a7a49d34f5e8af0d6717f96da91a7de4451c1055e
Instruction Fuzzy Hash: C24167719052199FDF16EFA4D9C1AEDB7B9AF08340F1000E6E509EB142EB34A789DB50

Function 00CE2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00CE2E1C
GetWindowLongW.USER32(?,000000F0), ref: 00CE2E4F
GetWindowLongW.USER32(?,000000F0), ref: 00CE2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00CE2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00CE2EE0
GetWindowLongW.USER32(?,000000F0), ref: 00CE2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CE2F0B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 18f64997f4fa146b49d9e28e370c546047a8600d461b1703d7a101c7fa41fc7c
Instruction ID: 3b8e6a6324b050a0679a82566310bc004dc9ea3c6da041cb628a5edaf193d627
Opcode Fuzzy Hash: 18f64997f4fa146b49d9e28e370c546047a8600d461b1703d7a101c7fa41fc7c
Instruction Fuzzy Hash: B13114356042A09FDB208F59DCC4F6937E8EB6A711F1441A4F920CF2B2CB71AD819B51

Function 00CB7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CB7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CB778F
SysAllocString.OLEAUT32(00000000), ref: 00CB7792
SysAllocString.OLEAUT32(?), ref: 00CB77B0
SysFreeString.OLEAUT32(?), ref: 00CB77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00CB77DE
SysAllocString.OLEAUT32(?), ref: 00CB77EC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 59c9178dee04e0e526bb469bece079bbad2c8837569374d73ff0ea03fbc7dcec
Instruction ID: b0346d614df52f830d2594604e7676a136d7476a7d66635e89e545b570e3b14e
Opcode Fuzzy Hash: 59c9178dee04e0e526bb469bece079bbad2c8837569374d73ff0ea03fbc7dcec
Instruction Fuzzy Hash: 66219C76604259AFDF11DFA8DCC8EFA77ACEB49364B108125BE14EB190DA709D428760

Function 00CB77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CB7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CB7868
SysAllocString.OLEAUT32(00000000), ref: 00CB786B
SysAllocString.OLEAUT32 ref: 00CB788C
SysFreeString.OLEAUT32 ref: 00CB7895
StringFromGUID2.OLE32(?,?,00000028), ref: 00CB78AF
SysAllocString.OLEAUT32(?), ref: 00CB78BD

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1d477ec7e30454d6b602bdabaeda81e92c011a73a417951f6e4f81fd0b248947
Instruction ID: 484803a593d5804cf168805fb79a63e973b23cc5912cddd5b12a626fbdbb3a3d
Opcode Fuzzy Hash: 1d477ec7e30454d6b602bdabaeda81e92c011a73a417951f6e4f81fd0b248947
Instruction Fuzzy Hash: 96217131608204AFDB109FB8DCC8EBA77ECEB49760B108225F925DB2E1D675DD42DB64

Function 00CC04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00CC04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CC052E

Strings

nul, xrefs: 00CC0567

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 899e41cf7044a023aa8ab840987596b7516ed32c5d1a0beec72be3e5e30748d3
Instruction ID: 7fcb79ecb74ad8b26af7bea77969f4d1c3724c02119f748ebc5d6471ce20535e
Opcode Fuzzy Hash: 899e41cf7044a023aa8ab840987596b7516ed32c5d1a0beec72be3e5e30748d3
Instruction Fuzzy Hash: 40215A75600305EFDF209F69D885F9A7BA8AF44725F304A1DE8B1D62E0D7709A41CF24

Function 00CC05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00CC05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CC0601

Strings

nul, xrefs: 00CC0639

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 4321d71d22ebd0697e93f35245e18d5022e860b14baaca2796c2701506dcd8e3
Instruction ID: d8db36ab4bfd2059f098d73d9c6d88c113b4c35c3ebe1dc830c0fbd14b25218f
Opcode Fuzzy Hash: 4321d71d22ebd0697e93f35245e18d5022e860b14baaca2796c2701506dcd8e3
Instruction Fuzzy Hash: A8213B75500315EBDB209F69D844F9A77A8AF95B21F300A1DFDB1E72E0D6B09A61CB20

Function 00CE40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C5600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C5604C
Part of subcall function 00C5600E: GetStockObject.GDI32(00000011), ref: 00C56060
Part of subcall function 00C5600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CE4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CE411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CE412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CE4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CE4145

Strings

Msctls_Progress32, xrefs: 00CE40E3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c48d3420fcae8d474e2b9ca63338e1b2f8d5f11d4a59e0192acfa3fa06c6a480
Instruction ID: 419dccef7fb48931a60a9c2bd3f7eb7b517616b6469b21d00dfdb35c7a0f96a8
Opcode Fuzzy Hash: c48d3420fcae8d474e2b9ca63338e1b2f8d5f11d4a59e0192acfa3fa06c6a480
Instruction Fuzzy Hash: 2211B6B11402197EEF118F65CC85EEB7F6DEF18798F014110FA18E6150C6769C61DBA4

Function 00C8D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C8D7A3: _free.LIBCMT ref: 00C8D7CC

_free.LIBCMT ref: 00C8D82D

Part of subcall function 00C829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000), ref: 00C829DE
Part of subcall function 00C829C8: GetLastError.KERNEL32(00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000,00000000), ref: 00C829F0

_free.LIBCMT ref: 00C8D838
_free.LIBCMT ref: 00C8D843
_free.LIBCMT ref: 00C8D897
_free.LIBCMT ref: 00C8D8A2
_free.LIBCMT ref: 00C8D8AD
_free.LIBCMT ref: 00C8D8B8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 527b38662e9a6c7219deaaf009015ca6e9a08cdb9ddcd71dd5bb7a656ea99fbe
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 0F112E71540B04AAD621BFB0CC4BFCF7BDCAF04704F414865F29AE64D2DA69B505A768

Function 00CBDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CBDA74
LoadStringW.USER32(00000000), ref: 00CBDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CBDA91
LoadStringW.USER32(00000000), ref: 00CBDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CBDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00CBDAB9

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 0f91285a87f0705c8e60c0c3d147c3df978c1e4066c48a9d5698202c1b4e99db
Instruction ID: b7255c17313e097d44b415cff0d6627e6df5ee0ae30b3f504715173ddb83440e
Opcode Fuzzy Hash: 0f91285a87f0705c8e60c0c3d147c3df978c1e4066c48a9d5698202c1b4e99db
Instruction Fuzzy Hash: B9016DF2900248BFEB10ABA09DC9FEB736CEB08701F400492B716E6051EA749E858F74

Function 00CC096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D9E2A0,00D9E2A0), ref: 00CC097B
EnterCriticalSection.KERNEL32(00D9E280,00000000), ref: 00CC098D
TerminateThread.KERNEL32(?,000001F6), ref: 00CC099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 00CC09A9
CloseHandle.KERNEL32(?), ref: 00CC09B8
InterlockedExchange.KERNEL32(00D9E2A0,000001F6), ref: 00CC09C8
LeaveCriticalSection.KERNEL32(00D9E280), ref: 00CC09CF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 22f6da28c49903232aded6a2e9ccfd84355165bf8eca566a1650df8ec0433ace
Instruction ID: ab26a9075418496def43ad36b7bdd45218d5e435d5597f4dd859d81ec4468c4a
Opcode Fuzzy Hash: 22f6da28c49903232aded6a2e9ccfd84355165bf8eca566a1650df8ec0433ace
Instruction Fuzzy Hash: 70F01432442A42EBD7415BA4EEC8BDABA29BF01702F502025F202988A1CB74A576CF90

Function 00CD1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CD1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CD1DE1
WSAGetLastError.WSOCK32 ref: 00CD1DF2
htons.WSOCK32(?,?,?,?,?), ref: 00CD1EDB
inet_ntoa.WSOCK32(?), ref: 00CD1E8C

Part of subcall function 00CB39E8: _strlen.LIBCMT ref: 00CB39F2

Part of subcall function 00CD3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00CCEC0C), ref: 00CD3240

_strlen.LIBCMT ref: 00CD1F35

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b72349dd92b7af859556675c35814979bd219a90cf5638ac3b343e0f4ec566e2
Instruction ID: d89c2f2a09a24f2659703e3b37f08e38096266f0f5445402340084ea93357a6c
Opcode Fuzzy Hash: b72349dd92b7af859556675c35814979bd219a90cf5638ac3b343e0f4ec566e2
Instruction Fuzzy Hash: B3B1C435604340AFC324DF64C885E2A7BE5AF84318F58894DF9665B3E2DB31EE46CB91

Function 00C55D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00C55D30
GetWindowRect.USER32(?,?), ref: 00C55D71
ScreenToClient.USER32(?,?), ref: 00C55D99
GetClientRect.USER32(?,?), ref: 00C55ED7
GetWindowRect.USER32(?,?), ref: 00C55EF8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 399f4aa1a024d60b42b50aff333c94cc6af4c54b210a0dbb71107424e590a46e
Instruction ID: 65d42f4a716c57860a9c39acb6a17b20f447b01ff856374c7d7b3c0b106b1756
Opcode Fuzzy Hash: 399f4aa1a024d60b42b50aff333c94cc6af4c54b210a0dbb71107424e590a46e
Instruction Fuzzy Hash: 03B19D38A0068ADBCF14CFA9C485BEEB7F1FF04310F14851AE8A9D7250D734AA85CB54

Function 00C801B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C800BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C800D6
__allrem.LIBCMT ref: 00C800ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C8010B
__allrem.LIBCMT ref: 00C80122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C80140

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: c2910956128b59028e25cb79886b82094c8656b9b02ded222f94f9cfb939f329
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 2981F7726007069BE724AE69CC86B6E73E8AF41338F24813EF425D7281EB70DE059758

Function 00C861FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C782D9,00C782D9,?,?,?,00C8644F,00000001,00000001,8BE85006), ref: 00C86258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C8644F,00000001,00000001,8BE85006,?,?,?), ref: 00C862DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C863D8
__freea.LIBCMT ref: 00C863E5

Part of subcall function 00C83820: RtlAllocateHeap.NTDLL(00000000,?,00D21444,?,00C6FDF5,?,?,00C5A976,00000010,00D21440,00C513FC,?,00C513C6,?,00C51129), ref: 00C83852

__freea.LIBCMT ref: 00C863EE
__freea.LIBCMT ref: 00C86413

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 5a182f837b7a37443db33bb6d9c9e5c85918e94475f95566ef0d27149d513bf7
Instruction ID: 800bcc3fc53abae7530ac8a09b01bccadc66569fbec1d3a5565cea70c3099782
Opcode Fuzzy Hash: 5a182f837b7a37443db33bb6d9c9e5c85918e94475f95566ef0d27149d513bf7
Instruction Fuzzy Hash: 0D513372600216ABEB25AF60CC81EBF7BAAEF44718F144229FD15D7150EB34DD40D768

Function 00CDBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDB6AE,?,?), ref: 00CDC9B5
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDC9F1
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA68
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CDBD25
RegCloseKey.ADVAPI32(00000000), ref: 00CDBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CDBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CDBDF3
RegCloseKey.ADVAPI32(?), ref: 00CDBDFF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 24b9e21a48215d23ca9df19a7d367df2fdc96576c35b772fb8c29845ab41c9db
Instruction ID: 98af03b0ca9c9eed62309644c543d2b4c2824ea0937eb20ff800f00d963badb5
Opcode Fuzzy Hash: 24b9e21a48215d23ca9df19a7d367df2fdc96576c35b772fb8c29845ab41c9db
Instruction Fuzzy Hash: A5819E30208241EFC714DF24C891E2ABBE5FF84308F15895DF5598B2A2DB31ED49DB92

Function 00CAF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00CAF7B9
SysAllocString.OLEAUT32(00000001), ref: 00CAF860
VariantCopy.OLEAUT32(00CAFA64,00000000), ref: 00CAF889
VariantClear.OLEAUT32(00CAFA64), ref: 00CAF8AD
VariantCopy.OLEAUT32(00CAFA64,00000000), ref: 00CAF8B1
VariantClear.OLEAUT32(?), ref: 00CAF8BB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: a6014b326442a9c7a3b1f7a4cdaa72b342080566b1ec2b68328683f695788d1c
Instruction ID: 1984a8276c46c93c24b683742c2d220cb35baedc9976d9c4284cab99f4396a54
Opcode Fuzzy Hash: a6014b326442a9c7a3b1f7a4cdaa72b342080566b1ec2b68328683f695788d1c
Instruction Fuzzy Hash: 4651D635500316AACF20BFB6D8D5B2AB3A4EF47318F24446EE805DF291DB748C42D796

Function 00CC910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C57620: _wcslen.LIBCMT ref: 00C57625

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00CC94E5
_wcslen.LIBCMT ref: 00CC9506
_wcslen.LIBCMT ref: 00CC952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00CC9585

Strings

X, xrefs: 00CC9412

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 8771ec41e3009af24037365d4860a04caf46a039f69eb483dc03f6c18bdf3f2c
Instruction ID: 2bf880bcae22c51e8d96d88536b0576a28c39c267226898807eb0951e5a55392
Opcode Fuzzy Hash: 8771ec41e3009af24037365d4860a04caf46a039f69eb483dc03f6c18bdf3f2c
Instruction Fuzzy Hash: B2E18D356083418FC724DF24C885F6AB7E4FF85314F04896DE8999B2A2DB31ED49CB96

Function 00C6920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

BeginPaint.USER32(?,?,?), ref: 00C69241
GetWindowRect.USER32(?,?), ref: 00C692A5
ScreenToClient.USER32(?,?), ref: 00C692C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C692D3
EndPaint.USER32(?,?,?,?,?), ref: 00C69321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CA71EA

Part of subcall function 00C69339: BeginPath.GDI32(00000000), ref: 00C69357

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 71d9a5ed124c769b3e578b7724809d548576c687bd4d8324194a534cf1a284c7
Instruction ID: 5d263a393e64fe90dc367e93ef5c1448b9c08c3c4296c9da9ca99bc9eb33bd42
Opcode Fuzzy Hash: 71d9a5ed124c769b3e578b7724809d548576c687bd4d8324194a534cf1a284c7
Instruction Fuzzy Hash: A341AC70104341AFD721DF25CCD4FBA7BB8EBA6724F040229FAA5CB2A1C7309946DB61

Function 00CC07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00CC080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00CC0847
EnterCriticalSection.KERNEL32(?), ref: 00CC0863
LeaveCriticalSection.KERNEL32(?), ref: 00CC08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CC08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00CC0921

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 74631592d01fcb1b817778c2516964e52eb4443d229b0a6ec118df5b05585ea4
Instruction ID: 7feb2799751a6d51e0d38fe2ef47f96c3fbaabc88854c84be3ee4592c8e1267c
Opcode Fuzzy Hash: 74631592d01fcb1b817778c2516964e52eb4443d229b0a6ec118df5b05585ea4
Instruction Fuzzy Hash: 03415871900205EBDF149F54DCC5BAA7B78FF04300B1480A9E9049E297DB31DE62DBA0

Function 00CE81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CAF3AB,00000000,?,?,00000000,?,00CA682C,00000004,00000000,00000000), ref: 00CE824C
EnableWindow.USER32(?,00000000), ref: 00CE8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CE82D1
ShowWindow.USER32(?,00000004), ref: 00CE82E5
EnableWindow.USER32(?,00000001), ref: 00CE830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CE832F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6214c40ff97543215c96d35f27a5a38f7ee5eeed6b393948327e4fe6f6d65832
Instruction ID: 4abad83cb6715a7c974a60c2d957715f3dca816124d06318b6f82120b51e912e
Opcode Fuzzy Hash: 6214c40ff97543215c96d35f27a5a38f7ee5eeed6b393948327e4fe6f6d65832
Instruction Fuzzy Hash: D6418374601784AFDF25CF16C8D5BA47BE0BB1A714F184169E62C9F272CB32A94ACF50

Function 00CB4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00CB4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CB4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CB4CEA
_wcslen.LIBCMT ref: 00CB4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CB4D10
_wcsstr.LIBVCRUNTIME ref: 00CB4D1A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 881e01dfe05416d324a41f1a9198cc38f38eee763d7682d9c47ad799b55876b0
Instruction ID: bd53765c45d0eea91cde695cd99330ef7d0895f3aae2b5d59121e95e6c3671c8
Opcode Fuzzy Hash: 881e01dfe05416d324a41f1a9198cc38f38eee763d7682d9c47ad799b55876b0
Instruction Fuzzy Hash: B021C972608240BBEB295B39EC89FBF7FACDF45750F10802DF805CA192DA61DD4196A0

Function 00CC581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C53AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C53A97,?,?,00C52E7F,?,?,?,00000000), ref: 00C53AC2

_wcslen.LIBCMT ref: 00CC587B
CoInitialize.OLE32(00000000), ref: 00CC5995
CoCreateInstance.OLE32(00CEFCF8,00000000,00000001,00CEFB68,?), ref: 00CC59AE
CoUninitialize.OLE32 ref: 00CC59CC

Strings

.lnk, xrefs: 00CC5876, 00CC58C1, 00CC5985

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a2067362846c99e06b784404f0f39b4db3cfdb807877c8e4889519052cd12c10
Instruction ID: 414cf49a6cd2ce4b5d631b2d738b6fb07474d89cdbfc5c6a2d2bde9e66cf14e4
Opcode Fuzzy Hash: a2067362846c99e06b784404f0f39b4db3cfdb807877c8e4889519052cd12c10
Instruction Fuzzy Hash: 67D164746047019FC714DF25C490E2ABBE1EF89710F14899DF89A9B361DB31ED8ACB92

Function 00CB175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CB0FCA
Part of subcall function 00CB0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CB0FD6
Part of subcall function 00CB0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CB0FE5
Part of subcall function 00CB0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CB0FEC
Part of subcall function 00CB0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CB1002

GetLengthSid.ADVAPI32(?,00000000,00CB1335), ref: 00CB17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CB17BA
HeapAlloc.KERNEL32(00000000), ref: 00CB17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00CB17DA
GetProcessHeap.KERNEL32(00000000,00000000,00CB1335), ref: 00CB17EE
HeapFree.KERNEL32(00000000), ref: 00CB17F5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: bf9d20c3dc18728d184c50d59030661317a76264a9b2315998066d861a3e4ecf
Instruction ID: 54e71613ec9bb0bfc508db9664dd1bee5b9683216a43deab49b5bdea951eee6b
Opcode Fuzzy Hash: bf9d20c3dc18728d184c50d59030661317a76264a9b2315998066d861a3e4ecf
Instruction Fuzzy Hash: DD118E32610205FFDB10DFA4CC99BEF7BA9EB46355F584018F851AB210DB35AA45CB60

Function 00CB14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00CB14FF
OpenProcessToken.ADVAPI32(00000000), ref: 00CB1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00CB1515
CloseHandle.KERNEL32(00000004), ref: 00CB1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CB154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00CB1563

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b5f4c81c1d11e23cce52e39a78612de6c2dbaef5bdb1d26cf028af39198eff25
Instruction ID: 5a0be84ab6400169a8bf05a46e3aa942316ee438b7a3816365c865f691f151a0
Opcode Fuzzy Hash: b5f4c81c1d11e23cce52e39a78612de6c2dbaef5bdb1d26cf028af39198eff25
Instruction Fuzzy Hash: 6E112672500249EBDF11CFA8DD89BDE7BA9EF48744F088025FE15A6060C3758E65DB60

Function 00C73382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C73379,00C72FE5), ref: 00C73390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C7339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C733B7
SetLastError.KERNEL32(00000000,?,00C73379,00C72FE5), ref: 00C73409

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ebb65e195f047ca6cd00931a7ad5c77c1a04015ea3e14124f6ac2102dfa871aa
Instruction ID: 7409f228284b04eebd194b3b78303330e4d74eb569ce41266ffd8b7a854dffa6
Opcode Fuzzy Hash: ebb65e195f047ca6cd00931a7ad5c77c1a04015ea3e14124f6ac2102dfa871aa
Instruction Fuzzy Hash: 7A012432258351BEA62927757CC5BAB2A95EB0937A330C229F528C42F0EF114E037264

Function 00C82D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C85686,00C93CD6,?,00000000,?,00C85B6A,?,?,?,?,?,00C7E6D1,?,00D18A48), ref: 00C82D78
_free.LIBCMT ref: 00C82DAB
_free.LIBCMT ref: 00C82DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C7E6D1,?,00D18A48,00000010,00C54F4A,?,?,00000000,00C93CD6), ref: 00C82DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C7E6D1,?,00D18A48,00000010,00C54F4A,?,?,00000000,00C93CD6), ref: 00C82DEC
_abort.LIBCMT ref: 00C82DF2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4205c8eed67171c76a0fecaf351c7e4d5852380eb19d459742d30601a3d35779
Instruction ID: de97dab33ceefec2e35187db543eca8db50e24b524afa8ef26393d332457c819
Opcode Fuzzy Hash: 4205c8eed67171c76a0fecaf351c7e4d5852380eb19d459742d30601a3d35779
Instruction Fuzzy Hash: 2FF0F43664570037C2123338BC4EB5F2959ABC27ADF21401AF834D22E2EF249902A338

Function 00CE8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C69639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C69693
Part of subcall function 00C69639: SelectObject.GDI32(?,00000000), ref: 00C696A2
Part of subcall function 00C69639: BeginPath.GDI32(?), ref: 00C696B9
Part of subcall function 00C69639: SelectObject.GDI32(?,00000000), ref: 00C696E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CE8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CE8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CE8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CE8A80
EndPath.GDI32(?), ref: 00CE8A90
StrokePath.GDI32(?), ref: 00CE8AA0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 17dd6ccb3424cb2ea9823cfc86db2be3d27f8e6d67128b6dafb7b5cdeb55e948
Instruction ID: e18a496ff5896e07d9231d227ea3a41ac76d4d4a805850a08a5a6e9a049ad7da
Opcode Fuzzy Hash: 17dd6ccb3424cb2ea9823cfc86db2be3d27f8e6d67128b6dafb7b5cdeb55e948
Instruction Fuzzy Hash: 4A11A876000189FFDF129F95DC88F9A7F6DEB04354F048061FA199A161C7719D56DB60

Function 00CB51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00CB5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00CB5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CB5230
ReleaseDC.USER32(00000000,00000000), ref: 00CB5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CB524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00CB5261

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a7bf30385707b697fb4fd62a25b5e81972437d61444708e4cd24c50a30dbcdc8
Instruction ID: a73336d17dbd066c1343f086963117f37052cd5248893fe57cc9c4591ab5539d
Opcode Fuzzy Hash: a7bf30385707b697fb4fd62a25b5e81972437d61444708e4cd24c50a30dbcdc8
Instruction Fuzzy Hash: 4D018F75A01708BBEB109BE59C89B8EBFB8EB48751F044065FA04AB281D6709901CBA0

Function 00C51BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C51BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C51BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C51C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C51C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C51C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C51C22

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7d2865c2deddecfdb129cc52de52dbd61b926cece9802fdce1db6f9b29cb6bd7
Instruction ID: 5499233fb2023c2caccb6ac106991dd5ff3ffade5792efd4b5ef462542062ee2
Opcode Fuzzy Hash: 7d2865c2deddecfdb129cc52de52dbd61b926cece9802fdce1db6f9b29cb6bd7
Instruction Fuzzy Hash: 660144B0902B5ABDE3008F6A8C85B56FFA8FF19354F00411BA15C4BA42C7B5A864CBE5

Function 00CBEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CBEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CBEB46
GetWindowThreadProcessId.USER32(?,?), ref: 00CBEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CBEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CBEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CBEB75

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fa9cec452d57625f36071e433fad751d4f0fc0514c868306563d014037264ce8
Instruction ID: 214db1f4fdd4371935ed2b94964a4ad591e1b28c2bb1fd81b5a814c29e0a6f17
Opcode Fuzzy Hash: fa9cec452d57625f36071e433fad751d4f0fc0514c868306563d014037264ce8
Instruction Fuzzy Hash: 85F03A72240198BBE7215B629C8EFEF3A7CEFCAB11F000158FA11E9091D7A05A02C6B5

Function 00CA7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00CA7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00CA7469
GetWindowDC.USER32(?), ref: 00CA7475
GetPixel.GDI32(00000000,?,?), ref: 00CA7484
ReleaseDC.USER32(?,00000000), ref: 00CA7496
GetSysColor.USER32(00000005), ref: 00CA74B0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2d607965bc514d9a92b749f11f251216edf410b103a767a13244debd5107910d
Instruction ID: b842d5f687822a720d9c3d1b926d9314c0b7e13d3286bab4fbccd5b77897fa28
Opcode Fuzzy Hash: 2d607965bc514d9a92b749f11f251216edf410b103a767a13244debd5107910d
Instruction Fuzzy Hash: 9001AD31400295EFDB105F64DC88BAE7BB9FF08311F104164F926A71A0CB311E42EF10

Function 00CB1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CB187F
UnloadUserProfile.USERENV(?,?), ref: 00CB188B
CloseHandle.KERNEL32(?), ref: 00CB1894
CloseHandle.KERNEL32(?), ref: 00CB189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00CB18A5
HeapFree.KERNEL32(00000000), ref: 00CB18AC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8184a3c6cea58f407b113a1cbb9247053626102d66442c604d22841abaf70470
Instruction ID: 53fb49be641bccde14fe81375ada20ceee53c2b8255ea22cd1d7fd36a4c9c6ef
Opcode Fuzzy Hash: 8184a3c6cea58f407b113a1cbb9247053626102d66442c604d22841abaf70470
Instruction Fuzzy Hash: 3AE0E536004241BBDB015FA1ED8CB4EBF39FF4AB22B108220F62589070CB329432DF50

Function 00CBC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C57620: _wcslen.LIBCMT ref: 00C57625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CBC6EE
_wcslen.LIBCMT ref: 00CBC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CBC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CBC7CA

Strings

0, xrefs: 00CBC6AF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 4015864b16c80b4c53a1db191bd629ecdb3bcb60ac17d80332e55368c547e0c9
Instruction ID: 86eebfe8fd0a65faa629e2ae42b526b8d5e6e7da973f731e3de00bff3359c8a9
Opcode Fuzzy Hash: 4015864b16c80b4c53a1db191bd629ecdb3bcb60ac17d80332e55368c547e0c9
Instruction Fuzzy Hash: 7951CE716043509BD7249F28D8C5BAB77E8AF99314F040A2DF9A5E32A0DB60DE44DB62

Function 00CDAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00CDAEA3

Part of subcall function 00C57620: _wcslen.LIBCMT ref: 00C57625

GetProcessId.KERNEL32(00000000), ref: 00CDAF38
CloseHandle.KERNEL32(00000000), ref: 00CDAF67

Strings

<, xrefs: 00CDAE6B
@, xrefs: 00CDAE72

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 8ef281f1436f374c6f1bdb96e7acd649f8205ea1ffcc056ba0cf5f06fd080969
Instruction ID: 7d5da65170cee1d322ac18deaf004d32da23b680e093831149957d6fa423511d
Opcode Fuzzy Hash: 8ef281f1436f374c6f1bdb96e7acd649f8205ea1ffcc056ba0cf5f06fd080969
Instruction Fuzzy Hash: 2B719D75A00215DFCB14DF94D484A9EBBF0FF08310F04849AE856AB3A2DB74EE85CB95

Function 00CB719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CB7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CB723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CB724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CB72CF

Strings

DllGetClassObject, xrefs: 00CB7242

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 541d2d157148f9f158ea4a40028e9941d5ae0d274915794b889328e86629e29b
Instruction ID: e8f484f4551c55810550eeef9061490bc7b21956ca07616e2394b0b814be6706
Opcode Fuzzy Hash: 541d2d157148f9f158ea4a40028e9941d5ae0d274915794b889328e86629e29b
Instruction Fuzzy Hash: 0B417EB1A04204EFDB15CF64C984BDA7BA9EF84310F1581ADBD05DF20AD7B0DA45CBA1

Function 00CE3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CE3E35
IsMenu.USER32(?), ref: 00CE3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CE3E92
DrawMenuBar.USER32 ref: 00CE3EA5

Strings

0, xrefs: 00CE3D89

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c7dce8a4907d5233e522a780403e811670bb0cf7a240ceaee1d3f470e27c466d
Instruction ID: 72d5c977a5839123b81327315738d7bb5b011da28446564d7c2c5ad18865fd29
Opcode Fuzzy Hash: c7dce8a4907d5233e522a780403e811670bb0cf7a240ceaee1d3f470e27c466d
Instruction Fuzzy Hash: A2418A74A01289EFDB14DF51D888EAABBB9FF49350F044129E825AB350C330BE41DF60

Function 00CB1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CB1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CB1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00CB1EA9

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

Strings

ListBox, xrefs: 00CB1E25
ComboBox, xrefs: 00CB1DF0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 36f6d7637753d9150cea9a8f49e6b69b4e687cf907bba029b094cd23d698aa8f
Instruction ID: 2f3bce889d298d674a3f94d7bd07a892a3e1809d865fd96e195967a08622b9e3
Opcode Fuzzy Hash: 36f6d7637753d9150cea9a8f49e6b69b4e687cf907bba029b094cd23d698aa8f
Instruction Fuzzy Hash: E8216875A00184BFDB14ABA4DC9ADFFBBB9DF42350F544119FC21A71E1DB348E4AA620

Function 00CE2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CE2F8D
LoadLibraryW.KERNEL32(?), ref: 00CE2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CE2FA9
DestroyWindow.USER32(?), ref: 00CE2FB1

Strings

SysAnimate32, xrefs: 00CE2F68

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: d9f562a53f03c1df576919473884a61d31de5453794a3403f07ca8687a63d02f
Instruction ID: f7dcbb12c805ec76d9fe68136419035398652601518f18223dfec6ae0305cc15
Opcode Fuzzy Hash: d9f562a53f03c1df576919473884a61d31de5453794a3403f07ca8687a63d02f
Instruction Fuzzy Hash: BA21C072600295AFEB104FA6DC81FBB77BDEB59364F104218F960D6190D771DC929760

Function 00C74D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C74D1E,00C828E9,?,00C74CBE,00C828E9,00D188B8,0000000C,00C74E15,00C828E9,00000002), ref: 00C74D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C74DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C74D1E,00C828E9,?,00C74CBE,00C828E9,00D188B8,0000000C,00C74E15,00C828E9,00000002,00000000), ref: 00C74DC3

Strings

mscoree.dll, xrefs: 00C74D86
CorExitProcess, xrefs: 00C74D98

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 70f1c6fd5cbc154b9b7d0e99561f6d4939e213310c4935bda5cdde4bfe2d7a1a
Instruction ID: 6eb8bcaa35ca0b1fdbadaa7d6ebec5c46c80833c9167533e84c7b2d42ded7fb2
Opcode Fuzzy Hash: 70f1c6fd5cbc154b9b7d0e99561f6d4939e213310c4935bda5cdde4bfe2d7a1a
Instruction Fuzzy Hash: 96F06235A40308BBDB259F90DC89BEDBFF5EF44752F1040A9F909A62A0DB309E41DB91

Function 00C54E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C54EDD,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C54EAE
FreeLibrary.KERNEL32(00000000,?,?,00C54EDD,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C54EA8
kernel32.dll, xrefs: 00C54E94

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ece1be8098320b7b01781db920629c5b1498daa4911f14372a1e2bbc5b2d4309
Instruction ID: 3be45d68e1173c49c441f918f00d15032296e84547c617c4ce91bd411e61d837
Opcode Fuzzy Hash: ece1be8098320b7b01781db920629c5b1498daa4911f14372a1e2bbc5b2d4309
Instruction Fuzzy Hash: F6E0CD3AE016225FD23117257C9DB5FA554AF82F677050115FC10D7140DFA0CE8740B4

Function 00C54E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C93CDE,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C54E74
FreeLibrary.KERNEL32(00000000,?,?,00C93CDE,?,00D21418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C54E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C54E6E
kernel32.dll, xrefs: 00C54E5B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: c2207f7fec9203c14c79b81213526da9de3d3d0fee04c5d59056a821e5c49f0c
Instruction ID: 0253135d60fd55715ed3ee9f05e7448ccead79072c29a8059f431d40bf59c217
Opcode Fuzzy Hash: c2207f7fec9203c14c79b81213526da9de3d3d0fee04c5d59056a821e5c49f0c
Instruction Fuzzy Hash: B9D0C23A9026616B57261B257C89F8FAA28AF81F163050124BC10A6110CFA0CE8681E4

Function 00CC2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CC2C05
DeleteFileW.KERNEL32(?), ref: 00CC2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CC2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CC2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CC2CC0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: fe81ad445f995adfb8ace94a4fb883d59fca355c20ea1ce417fa85c8d74466ba
Instruction ID: a98b903c1b7501eae89d4d7f2b1e9d8cd49ba98fc316d119c13986f72a5c08ae
Opcode Fuzzy Hash: fe81ad445f995adfb8ace94a4fb883d59fca355c20ea1ce417fa85c8d74466ba
Instruction Fuzzy Hash: E7B13C72D00119ABDF25DBA4CC85FDEBBBDEF48350F1040AAFA09E6141EA319E449F61

Function 00CDA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00CDA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CDA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CDA468
CloseHandle.KERNEL32(?), ref: 00CDA63D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a9bae62d5e47941678744ecfd173b413a946cef262ed4fae6087897cbdee2adf
Instruction ID: 0a37c1366f7c7cc7284bdf3cb9a724f776eef6b153de3a32ec9242bf3de0fa4d
Opcode Fuzzy Hash: a9bae62d5e47941678744ecfd173b413a946cef262ed4fae6087897cbdee2adf
Instruction Fuzzy Hash: 73A1B2756043009FD720DF28D882F2AB7E1AF84714F14885DFA5A9B392DB70ED45CB82

Function 00C8BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CF3700), ref: 00C8BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00D2121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C8BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00D21270,000000FF,?,0000003F,00000000,?), ref: 00C8BC36
_free.LIBCMT ref: 00C8BB7F

Part of subcall function 00C829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000), ref: 00C829DE
Part of subcall function 00C829C8: GetLastError.KERNEL32(00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000,00000000), ref: 00C829F0

_free.LIBCMT ref: 00C8BD4B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 9edf641cfa46daaea7671fa6edad4679de6ae90e3b1866bdf3468804cec31bd2
Instruction ID: f962317cdd9b72684e4a5343934ba473a35b9234bcc63414965a4d7f6f49c82b
Opcode Fuzzy Hash: 9edf641cfa46daaea7671fa6edad4679de6ae90e3b1866bdf3468804cec31bd2
Instruction Fuzzy Hash: DD51E975900219EFCB20FF659C819BEB7BCEF51318B10426AF464D72A1EB309E419B68

Function 00CBE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CBCF22,?), ref: 00CBDDFD

Part of subcall function 00CBDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CBCF22,?), ref: 00CBDE16

Part of subcall function 00CBE199: GetFileAttributesW.KERNEL32(?,00CBCF95), ref: 00CBE19A

lstrcmpiW.KERNEL32(?,?), ref: 00CBE473
MoveFileW.KERNEL32(?,?), ref: 00CBE4AC
_wcslen.LIBCMT ref: 00CBE5EB
_wcslen.LIBCMT ref: 00CBE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CBE650

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: fb0684976748ccb3d7d8eb929d4ae1d5a4a6bbecc5191b29ccceb2c8e7422562
Instruction ID: daebc54094405c5b8d4be782146bed0df7ed15c6dd3f39854daebc92d6a3f3e2
Opcode Fuzzy Hash: fb0684976748ccb3d7d8eb929d4ae1d5a4a6bbecc5191b29ccceb2c8e7422562
Instruction Fuzzy Hash: B75184B24083459BC724EBA4C8819DF73ECEF85740F00491EF599D3191EF74A68C8B66

Function 00CDB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CDC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CDB6AE,?,?), ref: 00CDC9B5
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDC9F1
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA68
Part of subcall function 00CDC998: _wcslen.LIBCMT ref: 00CDCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CDBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CDBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CDBB63
RegCloseKey.ADVAPI32(?,?), ref: 00CDBBA6
RegCloseKey.ADVAPI32(00000000), ref: 00CDBBB3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 1bd35dd6fbacf2a51d9bee8eb0d8a49812a81e2f3eb2ccbcd8a126d4ac20368f
Instruction ID: ff320fbe32dea72a1f1483ad5f73952c958c557063a538afd7bfb81eaf7bd750
Opcode Fuzzy Hash: 1bd35dd6fbacf2a51d9bee8eb0d8a49812a81e2f3eb2ccbcd8a126d4ac20368f
Instruction Fuzzy Hash: 6D619E35208241EFC714DF14C490E2ABBE5FF84308F55899EF5998B2A2DB31ED45DB92

Function 00CB8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00CB8BCD
VariantClear.OLEAUT32 ref: 00CB8C3E
VariantClear.OLEAUT32 ref: 00CB8C9D
VariantClear.OLEAUT32(?), ref: 00CB8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CB8D3B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: deb84d13674d02443711b6fbff1e108a2d1e156b005479bc687a557f432140c2
Instruction ID: 7f5f17e9b2a53502bedc610f2798009325b696b8ee09866409a0b5617e8471ee
Opcode Fuzzy Hash: deb84d13674d02443711b6fbff1e108a2d1e156b005479bc687a557f432140c2
Instruction Fuzzy Hash: 7B515BB5A0061AEFCB14CF68C894AAAB7F9FF89310F15855AE915DB350E730E911CF90

Function 00CC8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CC8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CC8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CC8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CC8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CC8C5F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d6898dcb2b5bb545405aab6a04c7cffb152950cc3354b093ed426e1081987e11
Instruction ID: c18b197c02998c6de3f25477b7de07c201a919029e047409c3c949c2188088f9
Opcode Fuzzy Hash: d6898dcb2b5bb545405aab6a04c7cffb152950cc3354b093ed426e1081987e11
Instruction Fuzzy Hash: 84516B39A002159FCB14DF64C880E6EBBF5FF48314F088458E849AB362DB31ED95DB90

Function 00CD8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CD8F40
GetProcAddress.KERNEL32(00000000,?), ref: 00CD8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00CD8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00CD9032
FreeLibrary.KERNEL32(00000000), ref: 00CD9052

Part of subcall function 00C6F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CC1043,?,7529E610), ref: 00C6F6E6
Part of subcall function 00C6F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CAFA64,00000000,00000000,?,?,00CC1043,?,7529E610,?,00CAFA64), ref: 00C6F70D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 749afdf7ceb82f2ba1de357b7bffd150c990f7c3a822ee78220628463740bcbd
Instruction ID: 889386a88779c9d460997f34c07293930a2a2f0add4fc1a7caae81612c5df9f6
Opcode Fuzzy Hash: 749afdf7ceb82f2ba1de357b7bffd150c990f7c3a822ee78220628463740bcbd
Instruction Fuzzy Hash: 43514D39604205DFC715EF68C4949ADBBF1FF49314B448099E9169B362DB31EE8ACB90

Function 00CE6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CE6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CE6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CE6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CCAB79,00000000,00000000), ref: 00CE6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CE6CC7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 3020ad284d3c3ee62507d9fcc8f2076126af6365828146bf4b93a9423eca1507
Instruction ID: 3cdb65cd749ccce735bce2f95e296b733cb0139ef949e3d98784d239034c0c94
Opcode Fuzzy Hash: 3020ad284d3c3ee62507d9fcc8f2076126af6365828146bf4b93a9423eca1507
Instruction Fuzzy Hash: A941D635614184AFD724CF3ACC95FA97BA5EB19390F240268FCA5A72E0C371AE41DA50

Function 00C82051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C820C3
_free.LIBCMT ref: 00C820E3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 677540bafe13e6e19ad4886aae05e778328c2cfe2082bacb90f36bd2a14b49c3
Instruction ID: 19fa7c14ca48fc77fbefda13de0abe8f936e251cc21b83a5555e4594380fc2bc
Opcode Fuzzy Hash: 677540bafe13e6e19ad4886aae05e778328c2cfe2082bacb90f36bd2a14b49c3
Instruction Fuzzy Hash: 0E410872A00200AFCB24EF78C888A5DB7F5EF88318F154569E515EB395DB31EE01DB84

Function 00C6912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C69141
ScreenToClient.USER32(00000000,?), ref: 00C6915E
GetAsyncKeyState.USER32(00000001), ref: 00C69183
GetAsyncKeyState.USER32(00000002), ref: 00C6919D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 918eff8a636d9e164b93402b6ebfd7e8614685e103744bb0f72d0a669e8ec191
Instruction ID: 467664c7412858a3d8229ea72487f2946d89e31f75a666f1d2f6fe9ca7207244
Opcode Fuzzy Hash: 918eff8a636d9e164b93402b6ebfd7e8614685e103744bb0f72d0a669e8ec191
Instruction Fuzzy Hash: 3B416071A0860BFBDF159F69C884BEEB7B8FB06324F204315E429A7290C7345A55DB91

Function 00CC3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00CC38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CC3922
TranslateMessage.USER32(?), ref: 00CC394B
DispatchMessageW.USER32(?), ref: 00CC3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CC3966

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b6bec23712d5cece5e5cde52dcb16068a234bffca3fd139146f90b8eec50dc1c
Instruction ID: ac77c0081f1062320bb38f4b0c48a619a9c7e32aef1d608f81afad14fe7099a4
Opcode Fuzzy Hash: b6bec23712d5cece5e5cde52dcb16068a234bffca3fd139146f90b8eec50dc1c
Instruction Fuzzy Hash: DF3175749043C19EEB35CB35F888FB677A4AB25304F04C56DE472C6190D7B59786DB21

Function 00CCCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CCC21E,00000000), ref: 00CCCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00CCCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00CCC21E,00000000), ref: 00CCCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CCC21E,00000000), ref: 00CCCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00CCC21E,00000000), ref: 00CCCFF2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 536d4d2505ad5b04c32de7b3aba978fd5214f323e1a3f37ea6ddab60fbf6cd84
Instruction ID: 3854918aa6e3e970a590388c12a4865f26d04955d15c4b4f4bc916e1a0a54c9f
Opcode Fuzzy Hash: 536d4d2505ad5b04c32de7b3aba978fd5214f323e1a3f37ea6ddab60fbf6cd84
Instruction Fuzzy Hash: A1312771A04205AFDB20DFE9D8C4FAEBBFAEB14351B10446EF52AD6151DB30EE419B60

Function 00CB1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CB1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00CB19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00CB19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00CB19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CB19E2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: cf3e8d3467f04115bc8e7a4e4dc874c49e42b7c447a55848bcd8e4cdb31d260a
Instruction ID: 5b862c047502e118593e048d6543c4e23ff8a0b4aad74c35ef98988780e37777
Opcode Fuzzy Hash: cf3e8d3467f04115bc8e7a4e4dc874c49e42b7c447a55848bcd8e4cdb31d260a
Instruction Fuzzy Hash: 0731C071A00299EFCB04CFA8CDA9BDE3BB5EB05315F144229FD21AB2D1C7709A54CB90

Function 00CE5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CE5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CE579D
_wcslen.LIBCMT ref: 00CE57AF
_wcslen.LIBCMT ref: 00CE57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE5816

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 39f37cd60e2bad2729f37cfb7726e10176cb2ce52798844051ff002deeccbd90
Instruction ID: bfb13abe0166d93515ad4f1b23d2999fc7538845af663bd6be54e7c5c9e83a58
Opcode Fuzzy Hash: 39f37cd60e2bad2729f37cfb7726e10176cb2ce52798844051ff002deeccbd90
Instruction Fuzzy Hash: BF21A875904698DADB209F62CC85AEE77BCFF14728F108216F929EB1C1D7708A85CF50

Function 00CD0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00CD0951
GetForegroundWindow.USER32 ref: 00CD0968
GetDC.USER32(00000000), ref: 00CD09A4
GetPixel.GDI32(00000000,?,00000003), ref: 00CD09B0
ReleaseDC.USER32(00000000,00000003), ref: 00CD09E8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 3698dfbafa3077699b7cb2f7f7fcad37f832d5ac96e9b28c8e5d4dc89d3ad49e
Instruction ID: 594d24da21126ddb91757a05688fd3f29a42f4389cf4cb8d43cd6d6ffdd7eb24
Opcode Fuzzy Hash: 3698dfbafa3077699b7cb2f7f7fcad37f832d5ac96e9b28c8e5d4dc89d3ad49e
Instruction Fuzzy Hash: FD216F35600204AFD704EF69C898BAEBBE9EF45701F14846DF85ADB352DB30AD45DB90

Function 00C8CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C8CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C8CDE9

Part of subcall function 00C83820: RtlAllocateHeap.NTDLL(00000000,?,00D21444,?,00C6FDF5,?,?,00C5A976,00000010,00D21440,00C513FC,?,00C513C6,?,00C51129), ref: 00C83852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C8CE0F
_free.LIBCMT ref: 00C8CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C8CE31

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 6d8ab31a937e9aeaa4028afa4ece43ecaa68528e80016acf287bca04a85b6643
Instruction ID: 2757b101a8a644c9b079cd05e2321c45f006a52e4f26fc0270cb97f7e3e8d00c
Opcode Fuzzy Hash: 6d8ab31a937e9aeaa4028afa4ece43ecaa68528e80016acf287bca04a85b6643
Instruction Fuzzy Hash: DA0184726012557F232136B66CCCE7F696DDFC6BA9315412EF915C7201EA718E0293B8

Function 00C69639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C69693
SelectObject.GDI32(?,00000000), ref: 00C696A2
BeginPath.GDI32(?), ref: 00C696B9
SelectObject.GDI32(?,00000000), ref: 00C696E2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ce92a07591d6b55b396e09e5fc1c77e4068dbecdae2c7654ec6362b6a14888f9
Instruction ID: 77e5685c03939ebf394897ac28d7284816ec09f78729e02ea53a85dee65ccfad
Opcode Fuzzy Hash: ce92a07591d6b55b396e09e5fc1c77e4068dbecdae2c7654ec6362b6a14888f9
Instruction Fuzzy Hash: 9A212A74802345EBDB219F65DC987AD3BA9FB61355F108216F430A62B0D3709993DFA4

Function 00CB5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00CB5726
_memcmp.LIBVCRUNTIME ref: 00CB5744
_memcmp.LIBVCRUNTIME ref: 00CB5757
_memcmp.LIBVCRUNTIME ref: 00CB576F
_memcmp.LIBVCRUNTIME ref: 00CB5787

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 099628a64321df58506f8d5ee9dd8310f9d1ebc921500455361aeb00fe012157
Instruction ID: 48d33152b6f5bb597520f1a9ce9feb90a1e586b2b58d0155448ba9ed900d6875
Opcode Fuzzy Hash: 099628a64321df58506f8d5ee9dd8310f9d1ebc921500455361aeb00fe012157
Instruction Fuzzy Hash: 9801B5B2751609BBE21855169D82FFB735C9B21398F244034FD18BA281FB60EE5292A0

Function 00C82DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C7F2DE,00C83863,00D21444,?,00C6FDF5,?,?,00C5A976,00000010,00D21440,00C513FC,?,00C513C6), ref: 00C82DFD
_free.LIBCMT ref: 00C82E32
_free.LIBCMT ref: 00C82E59
SetLastError.KERNEL32(00000000,00C51129), ref: 00C82E66
SetLastError.KERNEL32(00000000,00C51129), ref: 00C82E6F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: f28eb7395e5b2e5318d13e030aaedb191bbe5b399ca7dd44d1b1949fb28594de
Instruction ID: 07772bb4e2a94d7df7751256cdbafd2d1ee1d6af6d0f65ec475fb462be24b136
Opcode Fuzzy Hash: f28eb7395e5b2e5318d13e030aaedb191bbe5b399ca7dd44d1b1949fb28594de
Instruction Fuzzy Hash: 5401F4322457007BC61237356C8DE6F265DABD17AEB214028F831E32A3EF248D02533C

Function 00CB000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?,?,00CB035E), ref: 00CB002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?), ref: 00CB0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?), ref: 00CB0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?), ref: 00CB0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CAFF41,80070057,?,?), ref: 00CB0070

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e760e9bbcf751f9969ca41c666c8bb65d537e777adc08456e51539f760fcaa2d
Instruction ID: 3e31379fb244d9f4064c2e2ae841e8429b6e5bc65350fb85d769345b027e67cb
Opcode Fuzzy Hash: e760e9bbcf751f9969ca41c666c8bb65d537e777adc08456e51539f760fcaa2d
Instruction Fuzzy Hash: 3C018F72600204BFDB215F69EC88BEF7BADEB44792F244124F905D6210D775DE418BA0

Function 00CBE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00CBE997
QueryPerformanceFrequency.KERNEL32(?), ref: 00CBE9A5
Sleep.KERNEL32(00000000), ref: 00CBE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00CBE9B7
Sleep.KERNEL32 ref: 00CBE9F3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 647cffd8f0e629235da886e3812732a29e30c25b42b66684b65dfb645ec285de
Instruction ID: 28ea50e802097bf2fff64cd8f4498240a1968f54ab0f115899c58700ef5eea9e
Opcode Fuzzy Hash: 647cffd8f0e629235da886e3812732a29e30c25b42b66684b65dfb645ec285de
Instruction Fuzzy Hash: DD012531C01629DBCF00AFE5DC99BEDBB78FF09B01F000556E952B6251CB30A65ACBA1

Function 00CB10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CB1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CB0B9B,?,?,?), ref: 00CB1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CB114D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3b463764ef0fec2d13f41a75891b6a7918ed6ff7b8b6d8ec90d6beeaca808e07
Instruction ID: 96fe8de28377804677e5e11627770f14bd285d9fbd015319dbef5a311469e9bc
Opcode Fuzzy Hash: 3b463764ef0fec2d13f41a75891b6a7918ed6ff7b8b6d8ec90d6beeaca808e07
Instruction Fuzzy Hash: 69016975200305BFDB114FA8DC89BAE3B6EEF8A3A0B240418FE51CB360DA31DD018A60

Function 00CB0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CB0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CB0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CB0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CB0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CB1002

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9f5205722d42f09db77b8f52568b1745633d753753d38719e2a0315f09934e80
Instruction ID: 5c8267f3a479bb80b260a5957eaf4597a566fe4ec051aecbea48ab472724363c
Opcode Fuzzy Hash: 9f5205722d42f09db77b8f52568b1745633d753753d38719e2a0315f09934e80
Instruction Fuzzy Hash: E1F0A935200345AFDB211FA4ACCDF9A3BADEF8A762F500414FE15CA250CA30DC418A60

Function 00CB1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CB102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CB1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB1062

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0b1357211b070aacf1d2e2c436e77a92b7cc0eacf0467e003dcd1db4209ebe6a
Instruction ID: 152f51f6b494ce78e5e502b458bc0379cdefac80efe18c5b1773a5e878b83b12
Opcode Fuzzy Hash: 0b1357211b070aacf1d2e2c436e77a92b7cc0eacf0467e003dcd1db4209ebe6a
Instruction Fuzzy Hash: 3EF06D35200341EBDB216FA4ECD9F9A3BADEF8A761F540414FE55CB250CA70D9518A60

Function 00CC030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00CC017D,?,00CC32FC,?,00000001,00C92592,?), ref: 00CC0324
CloseHandle.KERNEL32(?,?,?,?,00CC017D,?,00CC32FC,?,00000001,00C92592,?), ref: 00CC0331
CloseHandle.KERNEL32(?,?,?,?,00CC017D,?,00CC32FC,?,00000001,00C92592,?), ref: 00CC033E
CloseHandle.KERNEL32(?,?,?,?,00CC017D,?,00CC32FC,?,00000001,00C92592,?), ref: 00CC034B
CloseHandle.KERNEL32(?,?,?,?,00CC017D,?,00CC32FC,?,00000001,00C92592,?), ref: 00CC0358
CloseHandle.KERNEL32(?,?,?,?,00CC017D,?,00CC32FC,?,00000001,00C92592,?), ref: 00CC0365

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1b66fe5f78d5c34d53ee1e51a771ffaea271e2134564a29055e00f0aa9d095c4
Instruction ID: b58c96c8d5ed6f54973ed24fc3c68236db398119d024e7ead1c76231579a5c60
Opcode Fuzzy Hash: 1b66fe5f78d5c34d53ee1e51a771ffaea271e2134564a29055e00f0aa9d095c4
Instruction Fuzzy Hash: B201A272800B55DFCB309F66D880916FBF9BF503153298A3FD1A652931C371AA55CF80

Function 00C8D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C8D752

Part of subcall function 00C829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000), ref: 00C829DE
Part of subcall function 00C829C8: GetLastError.KERNEL32(00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000,00000000), ref: 00C829F0

_free.LIBCMT ref: 00C8D764
_free.LIBCMT ref: 00C8D776
_free.LIBCMT ref: 00C8D788
_free.LIBCMT ref: 00C8D79A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3213597dec67b41137d00b104890716a449c93d2d0c94b12692c2a2198f76b00
Instruction ID: 1b7aee5b6f439c8f55a94b33eede3e9594843ba3998fb28bec27ed446021a569
Opcode Fuzzy Hash: 3213597dec67b41137d00b104890716a449c93d2d0c94b12692c2a2198f76b00
Instruction Fuzzy Hash: 73F06232550304BB8621FB68F9C5C5677EDBB043187965805F059D7645CB34FC808B7C

Function 00CB5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00CB5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00CB5C6F
MessageBeep.USER32(00000000), ref: 00CB5C87
KillTimer.USER32(?,0000040A), ref: 00CB5CA3
EndDialog.USER32(?,00000001), ref: 00CB5CBD

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9fd3ddb34d5709d099c1f477a0f911c0353a06d1d866302203467ea13fd26edd
Instruction ID: bdd203e90aa3e0e8975b8f6a66d09079ddb88acfb8981d110fe46580183fd821
Opcode Fuzzy Hash: 9fd3ddb34d5709d099c1f477a0f911c0353a06d1d866302203467ea13fd26edd
Instruction Fuzzy Hash: 39018131500B44ABEB205B10DDCEFEA7BBDBB04B06F000559B593A50E1DBF0AA898A90

Function 00C822A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C822BE

Part of subcall function 00C829C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000), ref: 00C829DE
Part of subcall function 00C829C8: GetLastError.KERNEL32(00000000,?,00C8D7D1,00000000,00000000,00000000,00000000,?,00C8D7F8,00000000,00000007,00000000,?,00C8DBF5,00000000,00000000), ref: 00C829F0

_free.LIBCMT ref: 00C822D0
_free.LIBCMT ref: 00C822E3
_free.LIBCMT ref: 00C822F4
_free.LIBCMT ref: 00C82305

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1fec65ed13f5ea6b99d8505a77db96b991ea09f5f0bce601b1d07f4cf7f2e05f
Instruction ID: 28578dc584c12bf2dac0308416c7dd857d63a2a61ba58af640010a85e3f72e0e
Opcode Fuzzy Hash: 1fec65ed13f5ea6b99d8505a77db96b991ea09f5f0bce601b1d07f4cf7f2e05f
Instruction Fuzzy Hash: 40F03A74890320DB8622BF54BC468483F64BB38764703550AF420D23B2CB341953ABBC

Function 00C695C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C695D4
StrokeAndFillPath.GDI32(?,?,00CA71F7,00000000,?,?,?), ref: 00C695F0
SelectObject.GDI32(?,00000000), ref: 00C69603
DeleteObject.GDI32 ref: 00C69616
StrokePath.GDI32(?), ref: 00C69631

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a421085379b08d063c899d655a8105ffabcbe8dcb5565bf83c0d87e82f2d281b
Instruction ID: 6ea115491d15a1fb9b8d5fc300a5918507315473314248eada85f8b830905f0d
Opcode Fuzzy Hash: a421085379b08d063c899d655a8105ffabcbe8dcb5565bf83c0d87e82f2d281b
Instruction Fuzzy Hash: B0F0C939005388EBDB365F65ED98BA83B65EB21322F048214F476991F0C7348A97DF21

Function 00C80F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C810F9
__freea.LIBCMT ref: 00C81117

Part of subcall function 00C81537: _free.LIBCMT ref: 00C8154F

Strings

a/p, xrefs: 00C811DE
am/pm, xrefs: 00C8117A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 88fa1951058b53af7dfae1bbed456975e2d25abc2cbf51e764130b427ac3cae2
Instruction ID: 3844fe633dfa871fb4a3acf94428a6187e83c58b8f03013816ce838b80f45836
Opcode Fuzzy Hash: 88fa1951058b53af7dfae1bbed456975e2d25abc2cbf51e764130b427ac3cae2
Instruction Fuzzy Hash: BCD10431900206DACB24BF69C845BFEB7F8EF06708F2C4159ED259B661D3359E82CB59

Function 00CD7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C70242: EnterCriticalSection.KERNEL32(00D2070C,00D21884,?,?,00C6198B,00D22518,?,?,?,00C512F9,00000000), ref: 00C7024D
Part of subcall function 00C70242: LeaveCriticalSection.KERNEL32(00D2070C,?,00C6198B,00D22518,?,?,?,00C512F9,00000000), ref: 00C7028A

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00C700A3: __onexit.LIBCMT ref: 00C700A9

__Init_thread_footer.LIBCMT ref: 00CD7BFB

Part of subcall function 00C701F8: EnterCriticalSection.KERNEL32(00D2070C,?,?,00C68747,00D22514), ref: 00C70202
Part of subcall function 00C701F8: LeaveCriticalSection.KERNEL32(00D2070C,?,00C68747,00D22514), ref: 00C70235

Strings

5, xrefs: 00CD7C78
G, xrefs: 00CD7C7F
Variable must be of type 'Object'., xrefs: 00CD7C3A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 088e775734e6948fb5a1a2445524255f4cbb3f6503492c1aed15c93dfa9a3ccc
Instruction ID: 46721d7de9debaae3bda793ded97fca75c250335f67a8d7771f89dc170469e50
Opcode Fuzzy Hash: 088e775734e6948fb5a1a2445524255f4cbb3f6503492c1aed15c93dfa9a3ccc
Instruction Fuzzy Hash: D4919C74A04208EFCB14EF54D881DADB7B2FF44300F10815AF916AB392EB31AE85DB61

Function 00CB2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CB21D0,?,?,00000034,00000800,?,00000034), ref: 00CBB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CB2760

Part of subcall function 00CBB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CB21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00CBB3F8

Part of subcall function 00CBB32A: GetWindowThreadProcessId.USER32(?,?), ref: 00CBB355
Part of subcall function 00CBB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CB2194,00000034,?,?,00001004,00000000,00000000), ref: 00CBB365
Part of subcall function 00CBB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CB2194,00000034,?,?,00001004,00000000,00000000), ref: 00CBB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CB27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CB281A

Strings

@, xrefs: 00CB2832

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: f491a10270226cbc3e20964e4ca84bdd94064bb245055380da5baaa4ed3698e9
Instruction ID: 526bd43d84c2d293488973bc2d0d6a620410514433ecd7f1c346ef2aa2b618db
Opcode Fuzzy Hash: f491a10270226cbc3e20964e4ca84bdd94064bb245055380da5baaa4ed3698e9
Instruction Fuzzy Hash: 68413A76900218AFDB10DFA4CD85BEEBBB8EF09700F004099FA55B7191DB716E85DBA0

Function 00C8172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00C81769
_free.LIBCMT ref: 00C81834
_free.LIBCMT ref: 00C8183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00C81760, 00C81767, 00C81796, 00C817CE

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-517116171
Opcode ID: 6bc5c1a371f292f71dd034420b6c49fcb22197493523ae114890a55888b694b1
Instruction ID: b649fedb3bfa5e9520a359d4fd43e108388c164b0bbcc0693db8ae4b1722bc0a
Opcode Fuzzy Hash: 6bc5c1a371f292f71dd034420b6c49fcb22197493523ae114890a55888b694b1
Instruction Fuzzy Hash: 0331D375A00218EFCB21EF99D886D9EBBFCEF94314F19416AF814D7211D6704E42DBA8

Function 00CBC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CBC306
DeleteMenu.USER32(?,00000007,00000000), ref: 00CBC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D21990,00DA5B50), ref: 00CBC395

Strings

0, xrefs: 00CBC2DF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 134cb25e61e99a3215187d5f3f3fc8638689ecbea6960c227b5d135312451ec2
Instruction ID: 111d0c0c7214deb41fa1dbdb4546df9be7b553781ed15d1b8e36ade61d7f96f0
Opcode Fuzzy Hash: 134cb25e61e99a3215187d5f3f3fc8638689ecbea6960c227b5d135312451ec2
Instruction Fuzzy Hash: 60418E312043419FD720DF25D8C4F9ABBE8AF85320F548A5EF9A5972E1D770E904DB62

Function 00CE4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CECC08,00000000,?,?,?,?), ref: 00CE44AA
GetWindowLongW.USER32 ref: 00CE44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CE44D7

Strings

SysTreeView32, xrefs: 00CE447C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 9332a2fc27aeee94248762c61e9bbe8d46e71b4a4ee834cdf5bda6cf1a35202d
Instruction ID: 178a367fd03a4e5f2f17c8f030309dac9ab83ccfa1edbc5e357812c05a005a1a
Opcode Fuzzy Hash: 9332a2fc27aeee94248762c61e9bbe8d46e71b4a4ee834cdf5bda6cf1a35202d
Instruction Fuzzy Hash: A3319C31210285AFDB249F39DC85BEB7BA9EB08334F204725F979921E0D770ED55AB50

Function 00CD304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00CD335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CD3077,?,?), ref: 00CD3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CD307A
_wcslen.LIBCMT ref: 00CD309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00CD3106

Strings

255.255.255.255, xrefs: 00CD3095, 00CD309A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 088b75371664db688f61171ed7d423219dfe5085a12dc8bb9b2fe170a7fb9ce5
Instruction ID: 4dd7a65f67489cdbc5645f16419a42de9682cb0523d682cebd638378d73e697f
Opcode Fuzzy Hash: 088b75371664db688f61171ed7d423219dfe5085a12dc8bb9b2fe170a7fb9ce5
Instruction Fuzzy Hash: D431A4396042869FC720CF69C585EAA77F0EF54314F24805AEA258B392DB71EF45C762

Function 00CE3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00CE3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00CE3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE3F78

Strings

SysMonthCal32, xrefs: 00CE3F0B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: b3b885fedb6331190b90310e1aa8a7b2ce923d8227f11390115f9412841bc68e
Instruction ID: 452b04a6a9f13a545af17c094224d8e4d5d3c092266aa8b92f135509232874eb
Opcode Fuzzy Hash: b3b885fedb6331190b90310e1aa8a7b2ce923d8227f11390115f9412841bc68e
Instruction Fuzzy Hash: 5521AD32600299BBDF218E91CC86FEA3B79EF48714F110254FE15AB1D0D6B1A9559BA0

Function 00CE4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CE4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CE4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE471A

Strings

msctls_updown32, xrefs: 00CE4684

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6b072c671ac12eaa97f59c0f7f013d3f02290ff5712ef22a85f465639de21292
Instruction ID: 0ea458f73823028f072c41e3e8dd2e444d28c016f190c5cc526dfd94cf67953a
Opcode Fuzzy Hash: 6b072c671ac12eaa97f59c0f7f013d3f02290ff5712ef22a85f465639de21292
Instruction Fuzzy Hash: C62160B5600249AFDB14DF65DCC1DAB37ADEF5A3A4B040059FA109B351CB30ED52DAA0

Function 00CB95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CB961D

Strings

#OnAutoItStartRegister, xrefs: 00CB95F3
#requireadmin, xrefs: 00CB95D9
#notrayicon, xrefs: 00CB95B7

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 096a1bcefb59daeda367df5d6fc8e4741bee49c4f9821281c418c9a7812ab1f1
Instruction ID: 46f85ffdff751d4b402bf5b5a42648b8e460d68ebc6e73ae2a197d7c1ce6e0ca
Opcode Fuzzy Hash: 096a1bcefb59daeda367df5d6fc8e4741bee49c4f9821281c418c9a7812ab1f1
Instruction Fuzzy Hash: AB215B3214411066C331AB259C02FFB73D8DF51300F10803AFB5997041EB719E8AD295

Function 00CE37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CE3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CE3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CE3876

Strings

Listbox, xrefs: 00CE380F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 334dcc4d6bdfe75075f1ae04cfa992ee98ace19c9e1ebf4a30ab8fe7dc9881ce
Instruction ID: 76a68a6d62471a2d93c304d5fdba4a130be9501eb52298394de707dde35ea7fc
Opcode Fuzzy Hash: 334dcc4d6bdfe75075f1ae04cfa992ee98ace19c9e1ebf4a30ab8fe7dc9881ce
Instruction Fuzzy Hash: 1021C272610298BBEF218F56CC89FBB376EEF89750F108125F9149B190C671ED52C7A0

Function 00CC49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00CC4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CC4A5C
SetErrorMode.KERNEL32(00000000,?,?,00CECC08), ref: 00CC4AD0

Strings

%lu, xrefs: 00CC4A6F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: f3adf21dac110ed3e53d07958685026e30c77ac5250e237bf9782b385c27bae5
Instruction ID: c068c670792ddba7cccd8117e9abdf9d210f7638056008d9a77c07feae167368
Opcode Fuzzy Hash: f3adf21dac110ed3e53d07958685026e30c77ac5250e237bf9782b385c27bae5
Instruction Fuzzy Hash: C4312F75A00109AFDB10DF54C885EAE77F8EF05304F1480A9F905DB252D771EE46DB61

Function 00CE41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CE424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CE4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CE4271

Strings

msctls_trackbar32, xrefs: 00CE4226

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: a17ec24513260ed5dc49d6f81b60043d8de4f0e29fe06e1d075b3b3a11875442
Instruction ID: b4387f0bdb661c64f16248d4e9608215bbe2ad06e0634497d3fc1324d5795f6e
Opcode Fuzzy Hash: a17ec24513260ed5dc49d6f81b60043d8de4f0e29fe06e1d075b3b3a11875442
Instruction Fuzzy Hash: B6110631240288BEEF205F2ADC46FAB3BACEF95B64F010124FA55E60A0D671DC519B20

Function 00CB2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C56B57: _wcslen.LIBCMT ref: 00C56B6A

Part of subcall function 00CB2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CB2DC5
Part of subcall function 00CB2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB2DD6
Part of subcall function 00CB2DA7: GetCurrentThreadId.KERNEL32 ref: 00CB2DDD
Part of subcall function 00CB2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CB2DE4

GetFocus.USER32 ref: 00CB2F78

Part of subcall function 00CB2DEE: GetParent.USER32(00000000), ref: 00CB2DF9

GetClassNameW.USER32(?,?,00000100), ref: 00CB2FC3
EnumChildWindows.USER32(?,00CB303B), ref: 00CB2FEB

Strings

%s%d, xrefs: 00CB2FFF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 79e0fc5d3942934b516b395be58641ea759046ad60710e765978962d2a55044f
Instruction ID: 7474f17832cac075d9cb089a1e6f5664bf121a66accc46b79062030063ebd5d9
Opcode Fuzzy Hash: 79e0fc5d3942934b516b395be58641ea759046ad60710e765978962d2a55044f
Instruction Fuzzy Hash: D311AF75600245ABCF147F709CC6FEE376AAF94304F044079FD099B292DE749A4AEB60

Function 00CE5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CE58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CE58EE
DrawMenuBar.USER32(?), ref: 00CE58FD

Strings

0, xrefs: 00CE588F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 6077e7203c7f59362dd5e2b9b538ae66eaa965322ea80ff7f41464126ca78361
Instruction ID: e50d5569b5b95162e0b32875b76671ae320457646128e21da5023116c758cf04
Opcode Fuzzy Hash: 6077e7203c7f59362dd5e2b9b538ae66eaa965322ea80ff7f41464126ca78361
Instruction Fuzzy Hash: D2016131500298EFDB219F12DC84BEEBBB4FB45364F108099E949DA151DB318A95EF21

Function 00CAD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00CAD3BF
FreeLibrary.KERNEL32 ref: 00CAD3E5

Strings

X64, xrefs: 00CAD2A8
GetSystemWow64DirectoryW, xrefs: 00CAD3B9

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 26597bc981e344fde2ae3c0e633452e5b997675609821d14ef40ec106f8c81d6
Instruction ID: 6e2dcd1fb7c2c47a127f8171eb2e6f4d74efdb7ec8f171400cd4bda56e903785
Opcode Fuzzy Hash: 26597bc981e344fde2ae3c0e633452e5b997675609821d14ef40ec106f8c81d6
Instruction Fuzzy Hash: CAF0AB72902A239BCF3142125CD4BAD3330BF22709F558258F413E5924DB20CE49C2D2

Function 00CB007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03419fc79a211351577c7e178aa14a0d71eab524218cb27dc734b04818b799c
Instruction ID: 06bed1846882701c6da56bcb2691f32b179c0f7a3f57eafbf8cd6736e6677249
Opcode Fuzzy Hash: f03419fc79a211351577c7e178aa14a0d71eab524218cb27dc734b04818b799c
Instruction Fuzzy Hash: 45C13D75A00216EFDB14CF98C898BAEB7B5FF48704F208598E515EB261D731DE81DB90

Function 00C83E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C83F0B
__alldvrm.LIBCMT ref: 00C8410C
__alldvrm.LIBCMT ref: 00C8412E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 2df22ed3ca6d3de78d0f906292974da1c7a508ad5f411d227c747024c1134919
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 3AA19C32D003839FDB19EF18C8817AEBBE4EF61358F1841ADE5558B241C7348E41C798

Function 00CD342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00CD3459
CoUninitialize.OLE32 ref: 00CD3463
VariantInit.OLEAUT32(?), ref: 00CD346E
VariantClear.OLEAUT32(?), ref: 00CD371B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 0f7e27cd1577609bcc16ffaed4457c9799096c21b89975a7b76c95d4f863a2cb
Instruction ID: f7eab9cd955cdafd52bf7c5c239e8bb29e445ce7c5947334e981645dce5601df
Opcode Fuzzy Hash: 0f7e27cd1577609bcc16ffaed4457c9799096c21b89975a7b76c95d4f863a2cb
Instruction Fuzzy Hash: 72A15A792043009FC710DF28C585A2AB7E5FF88714F04895EFA8A9B362DB30EE45DB56

Function 00CB0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CEFC08,?), ref: 00CB05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CEFC08,?), ref: 00CB0608
CLSIDFromProgID.OLE32(?,?,00000000,00CECC40,000000FF,?,00000000,00000800,00000000,?,00CEFC08,?), ref: 00CB062D
_memcmp.LIBVCRUNTIME ref: 00CB064E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: a36d6ffac3ecc77e144576b804aa7df27667123122946626b8036ce6a8339e3c
Instruction ID: c0d2d1846ac7af78802d8acf0178671d73060d4c2d437956c9fd9fe7b77a3733
Opcode Fuzzy Hash: a36d6ffac3ecc77e144576b804aa7df27667123122946626b8036ce6a8339e3c
Instruction Fuzzy Hash: 60812B75A00109EFCB04DF94C984EEEB7B9FF89315F204558F516AB250DB71AE46CB60

Function 00CDA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00CDA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00CDA6BA

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Process32NextW.KERNEL32(00000000,?), ref: 00CDA79C
CloseHandle.KERNEL32(00000000), ref: 00CDA7AB

Part of subcall function 00C6CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C93303,?), ref: 00C6CE8A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2ce2820df5cea82f813f1af8a9e823a0093f4430d551bc944b696a93e327c7b6
Instruction ID: 264376b79a2c39284aa4879576d430c524f9b84873ccde113de51330ae9d7281
Opcode Fuzzy Hash: 2ce2820df5cea82f813f1af8a9e823a0093f4430d551bc944b696a93e327c7b6
Instruction Fuzzy Hash: B6518D75508300AFD710EF24C886A6FBBE8FF89754F40491DF985972A2EB30D949DB92

Function 00C91391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C914C0

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8e9d5120ff997edef3e605d411ee21599c7e97fafb6c89349d363f6c8661f21d
Instruction ID: 43f7f443dcdae0fd621a7aed41d24b4fcfffe92ead8e5b7cccc592b95402cc67
Opcode Fuzzy Hash: 8e9d5120ff997edef3e605d411ee21599c7e97fafb6c89349d363f6c8661f21d
Instruction Fuzzy Hash: 2C4130356001025BDF217BF98C8F6BE3AA4EF45370F2D4265FC29D6192D6348A416772

Function 00CE6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CE62E2
ScreenToClient.USER32(?,?), ref: 00CE6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CE6382

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: a923226ddb5e4e7fc3b8380b621e6b2bb9d391dbfc065accfa75d27b9114cc54
Instruction ID: ec6683bd04d8fc7e136a9d2ae15197066b535722cec804be7e6b276827094f1f
Opcode Fuzzy Hash: a923226ddb5e4e7fc3b8380b621e6b2bb9d391dbfc065accfa75d27b9114cc54
Instruction Fuzzy Hash: F9512E74910245EFCF10DF55D881AAE7BB6FF653A0F108159F9259B2A0D730EE81CB50

Function 00CD1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00CD1AFD
WSAGetLastError.WSOCK32 ref: 00CD1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CD1B8A
WSAGetLastError.WSOCK32 ref: 00CD1B94

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: f9fbb410ee826e9e8b6f89f2add854824d59328cb2d9510a806c940094de46b9
Instruction ID: ff7086fe2954fb01a120fffffed9b6e5e712cb689483421708c6695d8bbc4566
Opcode Fuzzy Hash: f9fbb410ee826e9e8b6f89f2add854824d59328cb2d9510a806c940094de46b9
Instruction Fuzzy Hash: 40419478600200BFE720AF24C886F2A77E5AB44718F548559FA559F3D3D772ED81DB90

Function 00C8B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e82eb2ca4b8c60e81c6171578d79d434410e52bb0e11efb6daadacda9130bbc
Instruction ID: 1e1ead350e687f664772f44474245efa9a7064888eef4f0d62fd76491e34b364
Opcode Fuzzy Hash: 6e82eb2ca4b8c60e81c6171578d79d434410e52bb0e11efb6daadacda9130bbc
Instruction Fuzzy Hash: D9412971A00304BFD724AF38CC46BAABBE9EBC4714F10852EF556DB292D371AE019794

Function 00CC56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CC5783
GetLastError.KERNEL32(?,00000000), ref: 00CC57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CC57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CC57FA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: d53fc639af5ca829b5625da9fb8b94e40b23a0b8d53a43803ebcb6f67e60b4bf
Instruction ID: 4ffcc88b1d26681bf96dac3729802ec594738213573dc72e19ec3853dfa2a5cf
Opcode Fuzzy Hash: d53fc639af5ca829b5625da9fb8b94e40b23a0b8d53a43803ebcb6f67e60b4bf
Instruction Fuzzy Hash: C9413E39600610DFCB11DF15C484A5EBBE1EF89321B198488EC5A9F362DB30FD85DB95

Function 00C8D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C76D71,00000000,00000000,00C782D9,?,00C782D9,?,00000001,00C76D71,8BE85006,00000001,00C782D9,00C782D9), ref: 00C8D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C8D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C8D9AB
__freea.LIBCMT ref: 00C8D9B4

Part of subcall function 00C83820: RtlAllocateHeap.NTDLL(00000000,?,00D21444,?,00C6FDF5,?,?,00C5A976,00000010,00D21440,00C513FC,?,00C513C6,?,00C51129), ref: 00C83852

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 106e9d531d8e6954f1ecc61e426fc120f7ba40292bb408df1bbe009a3d1a7e55
Instruction ID: bd5238b7e87bd00988e50527b8105065093955ca7f3856670149a1064c76bddf
Opcode Fuzzy Hash: 106e9d531d8e6954f1ecc61e426fc120f7ba40292bb408df1bbe009a3d1a7e55
Instruction Fuzzy Hash: 68310172A1021AABDF24EF65DC81EEE7BA5EB41314F054168FC19DB290EB35CE51CB90

Function 00CE52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CE5352
GetWindowLongW.USER32(?,000000F0), ref: 00CE5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CE5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CE53A8

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 7d4124057605bac5e18ed2f5ae892e8cd37e7ef7db8f62ce970aa85df98c2947
Instruction ID: 35cecf120a7febd678d858b4e9a813660fe231f19fb37b7ecaa4091883e1f489
Opcode Fuzzy Hash: 7d4124057605bac5e18ed2f5ae892e8cd37e7ef7db8f62ce970aa85df98c2947
Instruction Fuzzy Hash: 9E310838A55A88EFEF309F16CC45FE97766AB04394F584101FA20962F1C7B09E80EB51

Function 00CBAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00CBABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00CBAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00CBAC74
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00CBACC6

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d66c980d1cbafbff4a0dc058d1ea4e0d4ab45eedd2b41e7ffa843632d8f9b591
Instruction ID: 380d9d661662322ac4bec2636f4702d7e1bc1d86f0c991766e90bea942be1929
Opcode Fuzzy Hash: d66c980d1cbafbff4a0dc058d1ea4e0d4ab45eedd2b41e7ffa843632d8f9b591
Instruction Fuzzy Hash: FD313530A00758AFEF35CB698C497FE7FA5AB89310F04431AE4E1971D1D3768A8197A2

Function 00CE7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CE769A
GetWindowRect.USER32(?,?), ref: 00CE7710
PtInRect.USER32(?,?,00CE8B89), ref: 00CE7720
MessageBeep.USER32(00000000), ref: 00CE778C

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e677db0671bcfd9ad288561408f25bb4de81bf9921bd1555511b6ac933bd1715
Instruction ID: 82d27d928846c3f5443873f6a7e7c342197777d6ea3b74e3020dc63abd08fbfd
Opcode Fuzzy Hash: e677db0671bcfd9ad288561408f25bb4de81bf9921bd1555511b6ac933bd1715
Instruction Fuzzy Hash: 12418038605294DFDB12CF5AC894FA977F5FB59314F1582A8E424DB361C730AA82CF90

Function 00CE16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CE16EB

Part of subcall function 00CB3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB3A57
Part of subcall function 00CB3A3D: GetCurrentThreadId.KERNEL32 ref: 00CB3A5E
Part of subcall function 00CB3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CB25B3), ref: 00CB3A65

GetCaretPos.USER32(?), ref: 00CE16FF
ClientToScreen.USER32(00000000,?), ref: 00CE174C
GetForegroundWindow.USER32 ref: 00CE1752

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b99fe17033323c11254096c5b0570e32ecbf95ae601a6f75bea484aa56595a34
Instruction ID: 13974becd9adede3b879fbddebf61c81e7dc526c854cad46c3bbb8a51958f38f
Opcode Fuzzy Hash: b99fe17033323c11254096c5b0570e32ecbf95ae601a6f75bea484aa56595a34
Instruction Fuzzy Hash: A4313275D00249AFC704EFAAC8C1DEEB7F9EF49304B548069E815E7251D7319E45DBA0

Function 00CBDF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00C57620: _wcslen.LIBCMT ref: 00C57625

_wcslen.LIBCMT ref: 00CBDFCB
_wcslen.LIBCMT ref: 00CBDFE2
_wcslen.LIBCMT ref: 00CBE00D
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00CBE018

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 83500932d3efffb1387d6474f17301b56c618c9fef15ed389da8f46746847eec
Instruction ID: 59d773ff088d7cc6c1909b3548d88ffc9a5eabc2b3119ea6caecff586e843467
Opcode Fuzzy Hash: 83500932d3efffb1387d6474f17301b56c618c9fef15ed389da8f46746847eec
Instruction Fuzzy Hash: 38219275900214AFCB20EFA8D982BBEB7F8EF45750F144069F905BB245D7709E41DBA2

Function 00CE8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

GetCursorPos.USER32(?), ref: 00CE9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00CA7711,?,?,?,?,?), ref: 00CE9016
GetCursorPos.USER32(?), ref: 00CE905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00CA7711,?,?,?), ref: 00CE9094

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 61031441a214042ec659ad0092b2a7b77c77ffab227737ed108afb269c6f5846
Instruction ID: e928726bcbec4da2a34ed5888942b5798eef65d9986803a37eb992efa8007ebc
Opcode Fuzzy Hash: 61031441a214042ec659ad0092b2a7b77c77ffab227737ed108afb269c6f5846
Instruction Fuzzy Hash: 4821EF36200158EFCB258F96C898FEA7BB9EF89310F404055F9158B261C7359A91EB60

Function 00CBD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CECB68), ref: 00CBD2FB
GetLastError.KERNEL32 ref: 00CBD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00CBD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CECB68), ref: 00CBD376

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: f30d34ae48d547130362edf7f1d7e5fa01976e02d1fbbd5265d428e45af8b311
Instruction ID: 9035a5bd0f624fa5521895979273a69a1676dabd5f64a7736ad9dd066f4d7473
Opcode Fuzzy Hash: f30d34ae48d547130362edf7f1d7e5fa01976e02d1fbbd5265d428e45af8b311
Instruction Fuzzy Hash: 2C219174504301DF8300DF28C8815AE77F4EE56365F104A1DF8AAC72A2E731DA8ACB93

Function 00CB1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CB102A
Part of subcall function 00CB1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CB1036
Part of subcall function 00CB1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB1045
Part of subcall function 00CB1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB104C
Part of subcall function 00CB1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CB1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00CB15BE
_memcmp.LIBVCRUNTIME ref: 00CB15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CB1617
HeapFree.KERNEL32(00000000), ref: 00CB161E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8b77e910cecd6a5e4bd4a1fc34415b6610c936bcebb34353422bf26c57a2c8dd
Instruction ID: bf414c302690871f64254cceadac645ebce53b495924c7d7434b477be2150d5b
Opcode Fuzzy Hash: 8b77e910cecd6a5e4bd4a1fc34415b6610c936bcebb34353422bf26c57a2c8dd
Instruction Fuzzy Hash: B421AF31E40208EFDF10DFA4C995BEEB7B8EF44354F484459E851AB241E730AB05DBA0

Function 00CE2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CE280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CE2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CE2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CE2840

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 62df5b3e276cf9f3d85d29a7f423fdb68f1864cd475a0aedacf1a15701d3a7f1
Instruction ID: c7a3fc4c1c1b5274f9ac0b91f807a7c58a84e472ffdb069470eefee6f3a8849b
Opcode Fuzzy Hash: 62df5b3e276cf9f3d85d29a7f423fdb68f1864cd475a0aedacf1a15701d3a7f1
Instruction Fuzzy Hash: 3121D336205191AFD7149B25CC85FAA7BA9EF85324F148158F8268B6E2C771FD82C790

Function 00CB78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CB790A,?,000000FF,?,00CB8754,00000000,?,0000001C,?,?), ref: 00CB8D8C
Part of subcall function 00CB8D7D: lstrcpyW.KERNEL32(00000000,?,?,00CB790A,?,000000FF,?,00CB8754,00000000,?,0000001C,?,?,00000000), ref: 00CB8DB2
Part of subcall function 00CB8D7D: lstrcmpiW.KERNEL32(00000000,?,00CB790A,?,000000FF,?,00CB8754,00000000,?,0000001C,?,?), ref: 00CB8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CB8754,00000000,?,0000001C,?,?,00000000), ref: 00CB7923
lstrcpyW.KERNEL32(00000000,?,?,00CB8754,00000000,?,0000001C,?,?,00000000), ref: 00CB7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00CB8754,00000000,?,0000001C,?,?,00000000), ref: 00CB7984

Strings

cdecl, xrefs: 00CB797B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 2a8c3836e208e24f7bf11cb46815166964f3726047e0fe68dea64cb85324bdb2
Instruction ID: 532760a04b4ea8f56039dcf8f3f6a6a98ec5b4a68fda3653be63cbece72d9941
Opcode Fuzzy Hash: 2a8c3836e208e24f7bf11cb46815166964f3726047e0fe68dea64cb85324bdb2
Instruction Fuzzy Hash: 1211063A200242ABCF25AF34D884EBA77A9FF95350F00412AFC02CB264EB31D911D761

Function 00CE7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CE7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CE7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CE7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00CCB7AD,00000000), ref: 00CE7D6B

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 07b2ca2df50a10ba63f9deb8ccb7fa83900f2a0bb21aba092e3dbe85433bbefc
Instruction ID: d47c88289fb68432f4de7597bbdd49e659e1b44730a7eae365dd695ffe8ec5e0
Opcode Fuzzy Hash: 07b2ca2df50a10ba63f9deb8ccb7fa83900f2a0bb21aba092e3dbe85433bbefc
Instruction Fuzzy Hash: 74119035505695AFCB109F29CC44A7A3BA9EF45360B258724F835DB2F0D7309E51DB50

Function 00CE5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CE56BB
_wcslen.LIBCMT ref: 00CE56CD
_wcslen.LIBCMT ref: 00CE56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CE5816

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 3fca593d212f7c9ac995d5140760b05f7b3ba693a12725f52b9772e748e42da2
Instruction ID: d20fe8832d333b8f1f035500d7ed16eba49cb1643e8d5b92a48ca2e717958e80
Opcode Fuzzy Hash: 3fca593d212f7c9ac995d5140760b05f7b3ba693a12725f52b9772e748e42da2
Instruction Fuzzy Hash: 1D11E675600699A6DF20DF63CCC5AEE77ACEF10768F108026F925D6181E770CA85CB64

Function 00C81D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935564d64c2223507ad05218139c5f989da8edebf6222a1ecc5b7ad1f77ed1a9
Instruction ID: d6d81df89fe33b4668255a2828aef945e94ea4bf942182114ed0825e374dcc0a
Opcode Fuzzy Hash: 935564d64c2223507ad05218139c5f989da8edebf6222a1ecc5b7ad1f77ed1a9
Instruction Fuzzy Hash: EE01A2B22056167EF62236786CC0F2B669CDF423BCB390726F931911D2DB608D025378

Function 00CB1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00CB1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CB1A8A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3a78a517bf5c5d64056680193f44be07fd47dca5b9212730441a578b9f46c791
Instruction ID: c6ab4e33812b5e47350131abfb25d416be665341736b91c285025766faf3f07e
Opcode Fuzzy Hash: 3a78a517bf5c5d64056680193f44be07fd47dca5b9212730441a578b9f46c791
Instruction Fuzzy Hash: 6C11273A901219FFEB109BA5C985FEDBB78EB08750F240091EA00B7290D6716F50EB94

Function 00CBE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00CBE1FD
MessageBoxW.USER32(?,?,?,?), ref: 00CBE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CBE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CBE24D

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 99a3422f7d7740118941914ce681a2d1a056f17eb91c54a9ab2eed4f74338bc7
Instruction ID: a12ede3bdb68b597384bdea4d05b4d1eaf97e4d8efcc817a9a170006d7a21b5b
Opcode Fuzzy Hash: 99a3422f7d7740118941914ce681a2d1a056f17eb91c54a9ab2eed4f74338bc7
Instruction Fuzzy Hash: B4114876904244BFC710DBA89C85BDE3FAD9B51720F008215F825D3391C270CE0187B1

Function 00C7D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C7CFF9,00000000,00000004,00000000), ref: 00C7D218
GetLastError.KERNEL32 ref: 00C7D224
__dosmaperr.LIBCMT ref: 00C7D22B
ResumeThread.KERNEL32(00000000), ref: 00C7D249

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: fc5ba65eeda14e514b2a23642af58dee9961a58f7e7d73a60d278c7bd0848654
Instruction ID: 3eb37fea0b018a03029f02ebdb38226ca046f4945195302417569b2627b63fa5
Opcode Fuzzy Hash: fc5ba65eeda14e514b2a23642af58dee9961a58f7e7d73a60d278c7bd0848654
Instruction Fuzzy Hash: D401D6764052047BC7115BA6DC49BAE7A79DF81731F208219F93A961D1CB708D02D6A0

Function 00CE9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C69BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C69BB2

GetClientRect.USER32(?,?), ref: 00CE9F31
GetCursorPos.USER32(?), ref: 00CE9F3B
ScreenToClient.USER32(?,?), ref: 00CE9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00CE9F7A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 85c9ca7316614324158511ed0de14a050f360e0e62e43a3e5a6217b16377a832
Instruction ID: a699eb47c2cef039d783d5e512b11b3138c79e649330f929385b9f1709f7278d
Opcode Fuzzy Hash: 85c9ca7316614324158511ed0de14a050f360e0e62e43a3e5a6217b16377a832
Instruction Fuzzy Hash: DC11487290029AABDB10DFAAD889AEE77B8FB45311F000451F911E7141D330BA82DBA1

Function 00C5600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C5604C
GetStockObject.GDI32(00000011), ref: 00C56060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5606A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: faecbf6ac5685ee7872199ab824af2a7e792d5c6600aae5487c6086ceb7cd106
Instruction ID: 3a2442fc16d89972ea8d46be34b1f96db149f611be640a9d4c616a560c182328
Opcode Fuzzy Hash: faecbf6ac5685ee7872199ab824af2a7e792d5c6600aae5487c6086ceb7cd106
Instruction Fuzzy Hash: 1F118E72101648BFEF124F94CC84FEEBF69EF58365F400201FE1456150C7329CA19BA4

Function 00C73B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C73B56

Part of subcall function 00C73AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C73AD2
Part of subcall function 00C73AA3: ___AdjustPointer.LIBCMT ref: 00C73AED

_UnwindNestedFrames.LIBCMT ref: 00C73B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C73B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C73BA4

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: c8c2185b3bd2249973d58146930278c7dc9f6ba19edf74bec9928d9154b9b5f4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 9F01E932100189BBDF125E95CC46EEB7F6AEF58754F048018FE5C96121C732E961FBA1

Function 00C83073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C513C6,00000000,00000000,?,00C8301A,00C513C6,00000000,00000000,00000000,?,00C8328B,00000006,FlsSetValue), ref: 00C830A5
GetLastError.KERNEL32(?,00C8301A,00C513C6,00000000,00000000,00000000,?,00C8328B,00000006,FlsSetValue,00CF2290,FlsSetValue,00000000,00000364,?,00C82E46), ref: 00C830B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C8301A,00C513C6,00000000,00000000,00000000,?,00C8328B,00000006,FlsSetValue,00CF2290,FlsSetValue,00000000), ref: 00C830BF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 7e856bba82ed4a08691c79cf0b6b96e1aa3af3b9582d19812872a5518600ce64
Instruction ID: 6008199518575f7eb7cdd5f5151b4d8788da974a2cbc7512cbf6ebfa00d4459b
Opcode Fuzzy Hash: 7e856bba82ed4a08691c79cf0b6b96e1aa3af3b9582d19812872a5518600ce64
Instruction Fuzzy Hash: 2501F732301362ABCB315BB99CC4B6B7B98AF45F65B111720F925E7180C721DA02C7E4

Function 00CB7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00CB747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00CB7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00CB74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00CB74CA

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 195f13d1bec339dbadccad38c818ec39e33c6e83de5eed798474f30c972c7ec7
Instruction ID: e9dc75cbbf06f4de8276beb391d8dd58c1f6d164953d0ec89a582b410a6d0994
Opcode Fuzzy Hash: 195f13d1bec339dbadccad38c818ec39e33c6e83de5eed798474f30c972c7ec7
Instruction Fuzzy Hash: A611A1B12053149BE7208F14DC48FE67BFCEB40B01F108669AA26DA191D770E944DF50

Function 00CBB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CBACD3,?,00008000), ref: 00CBB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CBACD3,?,00008000), ref: 00CBB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CBACD3,?,00008000), ref: 00CBB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CBACD3,?,00008000), ref: 00CBB126

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6e8138b0de53f2ad55fba9f4492f6d73384b2027bdadb45d283804e7f61391ba
Instruction ID: bf9a02b20ff49e56c947e42d5ef527218a6600c0da5e7e692159d118dcd8aa49
Opcode Fuzzy Hash: 6e8138b0de53f2ad55fba9f4492f6d73384b2027bdadb45d283804e7f61391ba
Instruction Fuzzy Hash: D4116D71C01A2CE7CF10AFE9E9987FEBB78FF0A711F104096D951B6281CBB09A518B51

Function 00CE7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00CE7E33
ScreenToClient.USER32(?,?), ref: 00CE7E4B
ScreenToClient.USER32(?,?), ref: 00CE7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CE7E8A

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: eaac4183d92b5ad50324a7c63ac9cb978a1232e656a3f076a5f41ec467a2b255
Instruction ID: f98b9f46ed6dd1def4206ca82ce2151d19525d5650e740a36e0bd5fd992e5320
Opcode Fuzzy Hash: eaac4183d92b5ad50324a7c63ac9cb978a1232e656a3f076a5f41ec467a2b255
Instruction Fuzzy Hash: 541144B9D0024AAFDB41CF99D884AEEBBF9FF08310F505156E925E3210D735AA55CF50

Function 00CB2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CB2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00CB2DD6
GetCurrentThreadId.KERNEL32 ref: 00CB2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CB2DE4

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f871b0e0fa76caef95bbc95aed17956d8b6c5026faa4c4cb61d98f0c25029f22
Instruction ID: dba161f05749592d84420c98022d041115b71509c2e044f45b744452381f7995
Opcode Fuzzy Hash: f871b0e0fa76caef95bbc95aed17956d8b6c5026faa4c4cb61d98f0c25029f22
Instruction Fuzzy Hash: 6BE01272501234BBDB201B739CCDFEF7E6CEF56BA1F400119F515D50909AA5C942C6B1

Function 00CE8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C69639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C69693
Part of subcall function 00C69639: SelectObject.GDI32(?,00000000), ref: 00C696A2
Part of subcall function 00C69639: BeginPath.GDI32(?), ref: 00C696B9
Part of subcall function 00C69639: SelectObject.GDI32(?,00000000), ref: 00C696E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CE8887
LineTo.GDI32(?,?,?), ref: 00CE8894
EndPath.GDI32(?), ref: 00CE88A4
StrokePath.GDI32(?), ref: 00CE88B2

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bdead8bc273d1386abd97cbff0068e5197ae78e0da915df972d9fa35a37ab1ec
Instruction ID: d7064b2daf3b3bf4fef315b208833195d20eef4f12ab6ca5665400ac2b10d957
Opcode Fuzzy Hash: bdead8bc273d1386abd97cbff0068e5197ae78e0da915df972d9fa35a37ab1ec
Instruction Fuzzy Hash: E2F05E3A041298FADB225F94AC89FCE3F59AF16710F048000FE21691E1C7755652DFE5

Function 00C698B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C698CC
SetTextColor.GDI32(?,?), ref: 00C698D6
SetBkMode.GDI32(?,00000001), ref: 00C698E9
GetStockObject.GDI32(00000005), ref: 00C698F1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b624f88195ef70571d331b68cdcf5a4f47ecc4d985759ba44bfceeb565bebdd8
Instruction ID: ced5e55f4829f4f2ac80f72d1a0e68befa5062e7df1972bb2859a4551d8472b5
Opcode Fuzzy Hash: b624f88195ef70571d331b68cdcf5a4f47ecc4d985759ba44bfceeb565bebdd8
Instruction Fuzzy Hash: 0AE06D32244680AADB215B78EC89BEC3F20EB12336F048319F6FA580E1C37246419F10

Function 00CB162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00CB1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00CB11D9), ref: 00CB163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00CB11D9), ref: 00CB1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00CB11D9), ref: 00CB164F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 800590b3d0fdd574f0dd3a54515023ad4e5a3fbdc8e609c588a9a78e6a1f8679
Instruction ID: 00bfc34ebc0dd08b1beac4c251b6f060147ea57161279981141f5e4e4077c053
Opcode Fuzzy Hash: 800590b3d0fdd574f0dd3a54515023ad4e5a3fbdc8e609c588a9a78e6a1f8679
Instruction Fuzzy Hash: E6E08C32602211EBD7201FA4AECDB8E3B7CEF447A2F188808FA55CD090E7348942CB60

Function 00CAD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CAD858
GetDC.USER32(00000000), ref: 00CAD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CAD882
ReleaseDC.USER32(?), ref: 00CAD8A3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4e16254bd5659c13062f230b4657ad5eeda2c51c99dc45a2b7abb9cfd5d86110
Instruction ID: 17db8ed4723eab357b8740f79a0663bfbaaeeb6fd5de34589f46ff41407b8529
Opcode Fuzzy Hash: 4e16254bd5659c13062f230b4657ad5eeda2c51c99dc45a2b7abb9cfd5d86110
Instruction Fuzzy Hash: C5E01AB4800205DFCF419FA5D8C876EBBB5FB48311F108409F817EB250C7384942AF40

Function 00CAD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00CAD86C
GetDC.USER32(00000000), ref: 00CAD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CAD882
ReleaseDC.USER32(?), ref: 00CAD8A3

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e241490bb65b7d96871098063966e4c977c220852ad1ef2be0384e8b68bd364e
Instruction ID: f47a2ad1aede0206d9312207ea29e7769ac665c2cfa3a65f95e8c5c156ae31d5
Opcode Fuzzy Hash: e241490bb65b7d96871098063966e4c977c220852ad1ef2be0384e8b68bd364e
Instruction Fuzzy Hash: 19E012B4C00200EFCF50AFA4D8C876EBBB9FB48311B108408F82AEB250CB385902AF40

Function 00CC4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C57620: _wcslen.LIBCMT ref: 00C57625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CC4ED4

Strings

LPT, xrefs: 00CC4DFB
*, xrefs: 00CC4E10

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 7d61b323971540622bac3365c5f4add2c5afe0ad16a899a6a2beeb3712a9c072
Instruction ID: de8ace7a1ab023b99c672fdd932d93b011ed76fa82d9aaa65a4b428bdc750e09
Opcode Fuzzy Hash: 7d61b323971540622bac3365c5f4add2c5afe0ad16a899a6a2beeb3712a9c072
Instruction Fuzzy Hash: FB913B75A002049FDB18DF98C494FAABBF1AF44304F19809DE85A9B362D735EE85CB91

Function 00C7E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C7E30D

Strings

pow, xrefs: 00C7E2E5, 00C7E302

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 740004aab79589342fed9b55ff1358c56fb2c1943a5703965ba59b2bb6da906f
Instruction ID: 71c9ae2c1cc75f44b96d184e0738c27240936aad2ff3e432b4fa35c90342d123
Opcode Fuzzy Hash: 740004aab79589342fed9b55ff1358c56fb2c1943a5703965ba59b2bb6da906f
Instruction Fuzzy Hash: 14514C62A0C2029ACB157714C94137D3BA4AB54745F34CED9E0B9832F9FB35CD91EB4A

Function 00C6E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C6E1B1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9b7bd1434a730b4eefece289cfb98afdb95b0f697c3e7f595591f0e2509040b4
Instruction ID: 2a2d4574530c569acfecd2325e5e18b0baee055c1f962f338c79dc2e351c0400
Opcode Fuzzy Hash: 9b7bd1434a730b4eefece289cfb98afdb95b0f697c3e7f595591f0e2509040b4
Instruction Fuzzy Hash: 5F516579500346DFDB28DF68C4916BA7BA9EF16314F244056FCA1DB2C0DB349E82DBA0

Function 00C6F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C6F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C6F2BB

Strings

@, xrefs: 00C6F2AF

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 649a7d86cb711ffb62339822a39d37726aa72aa1c3f5dded39a7a4afd94391ca
Instruction ID: ea7984d40e00efe9d37c13af4bdf08e68999ee78169533b851c920d6425caf02
Opcode Fuzzy Hash: 649a7d86cb711ffb62339822a39d37726aa72aa1c3f5dded39a7a4afd94391ca
Instruction Fuzzy Hash: ED5158754087449BD320AF54EC86BAFBBF8FB84301F81894CF5D941195EB3085A9CB6A

Function 00CD5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00CD57E0
_wcslen.LIBCMT ref: 00CD57EC

Strings

CALLARGARRAY, xrefs: 00CD57E6, 00CD57EB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: a823590da0de0ac1b8ac629cd673e97f5eed6b552d3aff42aa33357f5457b60e
Instruction ID: 6ae2558d7cda590cc7ec4517a7f03eea0af9a4feda2cf9a425fb74bfc19bba22
Opcode Fuzzy Hash: a823590da0de0ac1b8ac629cd673e97f5eed6b552d3aff42aa33357f5457b60e
Instruction Fuzzy Hash: E9419171E002099FCB14EFA9C8819BEBBB5FF59314F20416AE615A7391E7349E81DB90

Function 00CCD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CCD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CCD13A

Strings

|, xrefs: 00CCD10B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 95ffce7264624eccaa24226c9149666aac03306e97774868905e2080d7b0aba7
Instruction ID: 959283e7fd24220ee8c28223c7194d0235efacfaf91931223e75f61767659050
Opcode Fuzzy Hash: 95ffce7264624eccaa24226c9149666aac03306e97774868905e2080d7b0aba7
Instruction Fuzzy Hash: EA314F75D01209ABCF15EFA5CC85EEEBFB9FF04310F000029F81AA6162D771AA46DB54

Function 00CE356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CE3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CE365C

Strings

static, xrefs: 00CE35BC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 15d37b4d5b1b752dc7f5d15449837a6910a7d35013a08c2ba97d9490199f1be3
Instruction ID: 7f32036269c34197b5e530356caef7628a66273cf9dbe855577185e722889024
Opcode Fuzzy Hash: 15d37b4d5b1b752dc7f5d15449837a6910a7d35013a08c2ba97d9490199f1be3
Instruction Fuzzy Hash: 88318F71100284AEDB109F79DC85FFB73ADFF88720F108619F9A597290DA31AD81D764

Function 00CE4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00CE461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CE4634

Strings

', xrefs: 00CE458E

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9cf9d8d3ea64319318b9c6d65f2ce0868bbfb315525a3c9b5ec22e40a66cd037
Instruction ID: db7d537768a024db3d69a5afc4f6d6b7cfa0c5af20e815262f1ae38f9fa8df54
Opcode Fuzzy Hash: 9cf9d8d3ea64319318b9c6d65f2ce0868bbfb315525a3c9b5ec22e40a66cd037
Instruction Fuzzy Hash: 1E314C74A013499FDF18CF6AC981BDA7BB9FF49300F104069E914AB341D770A941CF90

Function 00CE31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CE327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CE3287

Strings

Combobox, xrefs: 00CE3249

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 012987f334cb1ebbe98f35a50daf6fc37d6c85a059a053cf27988a1e350499c7
Instruction ID: f159021bb1762d7cf5b598b82c089c89ea35ca94b16b752b0a6749c386260776
Opcode Fuzzy Hash: 012987f334cb1ebbe98f35a50daf6fc37d6c85a059a053cf27988a1e350499c7
Instruction Fuzzy Hash: 2D11E2713002887FEF219E55DC88EBB37AAEB94364F104124FA689B292D631AE519760

Function 00CE3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C5600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C5604C
Part of subcall function 00C5600E: GetStockObject.GDI32(00000011), ref: 00C56060
Part of subcall function 00C5600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C5606A

GetWindowRect.USER32(00000000,?), ref: 00CE377A
GetSysColor.USER32(00000012), ref: 00CE3794

Strings

static, xrefs: 00CE3757

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 00590cc0c2657c5761e803a2ac40384e0409c6cfbe9cc8a6795ba16a1a09dc46
Instruction ID: 87b22e6e4d581f351e5d9782c178e76f2e1f6067ed89ab2c638b5c5dce949e24
Opcode Fuzzy Hash: 00590cc0c2657c5761e803a2ac40384e0409c6cfbe9cc8a6795ba16a1a09dc46
Instruction Fuzzy Hash: C21129B2610249AFDF10DFA9CD8AAEE7BB8EB08314F004524F965E3250D735E9519B60

Function 00CCCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CCCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CCCDA6

Strings

<local>, xrefs: 00CCCD66

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ecc98f6c905a390c984528484953af87acf23a77e54ed54ff2d4e18eae583ccc
Instruction ID: 0e199c7f8ed6f4e777909070ff1380f22c7ecd2552adc9416e877fc51bfcabdd
Opcode Fuzzy Hash: ecc98f6c905a390c984528484953af87acf23a77e54ed54ff2d4e18eae583ccc
Instruction Fuzzy Hash: F811A071605632BAD7284B66DCC9FE7BEA8EB127A4F00422AF11E86080D6709991D6F0

Function 00CE3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CE34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CE34BA

Strings

edit, xrefs: 00CE348F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: af73789eb79318f94d4834bc037b0c9fb9f6b9f4b71ecc90b483467b913e9b27
Instruction ID: 35fb018d27c002ff0a0724892708b61c98f1f9043ed87043bd9822200701f099
Opcode Fuzzy Hash: af73789eb79318f94d4834bc037b0c9fb9f6b9f4b71ecc90b483467b913e9b27
Instruction Fuzzy Hash: 0E11BF711002C8ABEB124E66DC88AAB3B6AEB15374F504724F970971D0C731EE51AB60

Function 00CB6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

CharUpperBuffW.USER32(?,?,?), ref: 00CB6CB6
_wcslen.LIBCMT ref: 00CB6CC2

Strings

STOP, xrefs: 00CB6CBC, 00CB6CC1

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: b347c3bc3666885e51ec62bcae4c74017cf50c5271f6c50d4bdc533202ae20c7
Instruction ID: a58b4e8983a1d21a9006e845e9629daed05500c82468beaef34f61b53543edf1
Opcode Fuzzy Hash: b347c3bc3666885e51ec62bcae4c74017cf50c5271f6c50d4bdc533202ae20c7
Instruction Fuzzy Hash: 6001D6326005278BCB209FBDDC919FF77B9EF61710F500924E86297195EB39DE44C650

Function 00CB1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CB1D4C

Strings

ListBox, xrefs: 00CB1D16
ComboBox, xrefs: 00CB1CEB

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3021f21a0270f308be8a13336ebebbe9324ac18351789faf737b34fd846be039
Instruction ID: f71c4947fc4dc72e9c897984846fe56eb9fc477ae2c63eb6e5b6ad87a32f39ce
Opcode Fuzzy Hash: 3021f21a0270f308be8a13336ebebbe9324ac18351789faf737b34fd846be039
Instruction Fuzzy Hash: EC01D479601218EB8B09EBB4DD61DFE77A9EB46350F580A19FC32672C1EE30594C9660

Function 00CB1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00CB1C46

Strings

ListBox, xrefs: 00CB1C10
ComboBox, xrefs: 00CB1BE5

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0c44e1c272be379311d7492e626685640d844c939d81cf661ccf795a917fc8fc
Instruction ID: ab5917c4d7cfc2ebbbcedea5e797d1d9b8b1639eeef0ff2b1acb9f36f2787522
Opcode Fuzzy Hash: 0c44e1c272be379311d7492e626685640d844c939d81cf661ccf795a917fc8fc
Instruction Fuzzy Hash: 1701A779781104AACB04EB90DA62AFF7BA8DB52340F540019BC16672C2EE349F4C96B5

Function 00CB1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00CB1CC8

Strings

ListBox, xrefs: 00CB1C94
ComboBox, xrefs: 00CB1C69

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: d76668e1e2040a782ac9a6580fa5e8dfefdc291b34f77c16281e6872f1fde5fb
Instruction ID: d9a91ca46c23151a5cdcd50bae4ff80f61c2c611a926543ffe99d0e5b2ac7ba5
Opcode Fuzzy Hash: d76668e1e2040a782ac9a6580fa5e8dfefdc291b34f77c16281e6872f1fde5fb
Instruction Fuzzy Hash: 9501A775740124A6CB04E794DA51AFE7BA8DB11380F540015BC1273281EA209F4C9675

Function 00CB1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C59CB3: _wcslen.LIBCMT ref: 00C59CBD

Part of subcall function 00CB3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00CB3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00CB1DD3

Strings

ListBox, xrefs: 00CB1DA0
ComboBox, xrefs: 00CB1D75

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0d8246edcd9e4d71e607c2f4cd916ec80e054a3c1b7bc4b3724c2c1d219455f8
Instruction ID: 5bac8058d00a8d99810fd3360c14343857b08c21a7ddab30232c0f1d2cad8c47
Opcode Fuzzy Hash: 0d8246edcd9e4d71e607c2f4cd916ec80e054a3c1b7bc4b3724c2c1d219455f8
Instruction Fuzzy Hash: 6BF0F975B50214A6C704E7A4DD51BFF7778EB02340F440915BC22632C1DE705A0C9264

Function 00CD747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CD7493
_wcslen.LIBCMT ref: 00CD74B9

Strings

3, 3, 16, 1, xrefs: 00CD7483

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: e7060262a621c107345015f7431a6127ab29e770e829cefb4d069fec49e3ea6d
Instruction ID: 1bbba2155d867f212cd33c1d1ab617f7bef431ed9b1a3231de3497d55e6f3a9a
Opcode Fuzzy Hash: e7060262a621c107345015f7431a6127ab29e770e829cefb4d069fec49e3ea6d
Instruction Fuzzy Hash: AEE06102304320219336127AECC197F568DCFC5750710182BFB99C2366FBA4CED1A3B1

Function 00CB0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CB0B23

Strings

Error allocating memory., xrefs: 00CB0B1C
AutoIt, xrefs: 00CB0B17

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: a281bfc8023e349591058c7122f1289072153870068e240958efc8b1b8af0ba5
Instruction ID: 3eea3e456b2a676cf36c7506fe1b8b9db1701fbae997b3c98e60160189670100
Opcode Fuzzy Hash: a281bfc8023e349591058c7122f1289072153870068e240958efc8b1b8af0ba5
Instruction Fuzzy Hash: 93E0D8312843487BD22436557C83FC97A849F05B61F20042AFB58954C38BE2289116A9

Function 00C70D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C6F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C70D71,?,?,?,00C5100A), ref: 00C6F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C5100A), ref: 00C70D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C5100A), ref: 00C70D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C70D7F

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 011d942648c156a3ad27b5607d9aa1b25114a899f7f02c3f59e762eb391adf3e
Instruction ID: 68a09ae1350e17b0f9810ba8cfddeeafc0d00273bd9ff4c9ffdb6f26f21deb83
Opcode Fuzzy Hash: 011d942648c156a3ad27b5607d9aa1b25114a899f7f02c3f59e762eb391adf3e
Instruction Fuzzy Hash: DDE06DB42007918FD7309FB9E4883467BE0BB20744F10892DE496CB751DBB4E4868BA1

Function 00CC3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CC302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CC3044

Strings

aut, xrefs: 00CC3038

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 5f199b6d360c88a7bfc5c417c677e756172fc5d13cecfc22cd99a1f160b65be7
Instruction ID: 03d4959bc44d82eeeebc632340926b7764fa669bd887b7b1d85198203a95bbd8
Opcode Fuzzy Hash: 5f199b6d360c88a7bfc5c417c677e756172fc5d13cecfc22cd99a1f160b65be7
Instruction Fuzzy Hash: 64D05BB150035477DA209794AC8DFCB3A6CDB04751F0001517755D6091DAB4D585CAD0

Function 00CAD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00CAD220

Strings

X64, xrefs: 00CAD2A8
%.3d, xrefs: 00CAD22B

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: ddd3131cb53b4f8ce3d640ba99a6edbd3c4a6e0893b305952cf9839fcbad1033
Instruction ID: 1d5204d3de70d3d744d90a501073fc5bc5215bc81f366c538966e3d521b86d37
Opcode Fuzzy Hash: ddd3131cb53b4f8ce3d640ba99a6edbd3c4a6e0893b305952cf9839fcbad1033
Instruction Fuzzy Hash: 60D012A1C0810AEACB5096D1DCC5AF9B37CBB09305F508552F91791440D624C949E761

Function 00CE2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CE236C
PostMessageW.USER32(00000000), ref: 00CE2373

Part of subcall function 00CBE97B: Sleep.KERNEL32 ref: 00CBE9F3

Strings

Shell_TrayWnd, xrefs: 00CE2365

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 725f6bba4d80961393738fd874867d0d999d9a683da2407aeb801fab5e7bf6a8
Instruction ID: 501fd5c0f555d5328806821c021ddb3e6f21e27e3f17895982034a84c1f2aa04
Opcode Fuzzy Hash: 725f6bba4d80961393738fd874867d0d999d9a683da2407aeb801fab5e7bf6a8
Instruction Fuzzy Hash: E8D0C936786350BAE664A771AC8FFCA66189B14B10F1049167645AA1D0C9A0B846CA54

Function 00CE2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CE232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CE233F

Part of subcall function 00CBE97B: Sleep.KERNEL32 ref: 00CBE9F3

Strings

Shell_TrayWnd, xrefs: 00CE2325

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2bec8c5ce59f62ec763d214c2d6aad1c87524dc521b697f8043f88938df95b09
Instruction ID: 38bb63f58c16d2d2a0cea37f74bfbf24335bf55a623845cc05f23d11666185dc
Opcode Fuzzy Hash: 2bec8c5ce59f62ec763d214c2d6aad1c87524dc521b697f8043f88938df95b09
Instruction Fuzzy Hash: C6D01236795350BBE664B771EC8FFCB7A189B10F10F1049167745AE1D0C9F0B846CA54

Function 00C8BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00C8BE93
GetLastError.KERNEL32 ref: 00C8BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C8BEFC

Memory Dump Source

Source File: 00000000.00000002.2169165242.0000000000C51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C50000, based on PE: true

Associated: 00000000.00000002.2169148677.0000000000C50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000CEC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169223235.0000000000D12000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169267708.0000000000D1C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2169285310.0000000000D24000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c50000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1e91fcb05e4ddd757f9b9f34cb9344b2b6a48b4cab77f2e01af7289ebd077ff2
Instruction ID: 1f907c6fc8785f4f6716a79bf7a752de806b4ff0a8225c61d0e8420d42d582b2
Opcode Fuzzy Hash: 1e91fcb05e4ddd757f9b9f34cb9344b2b6a48b4cab77f2e01af7289ebd077ff2
Instruction Fuzzy Hash: FC41FA39604206AFCF21EFA5CC84BBE7BA5EF41314F144169FA695B1A1DB308E01DB64

Analysis Process: firefox.exePID: 1352, Parent PID: 1248COMMON

Executed Functions

Function 000001A98E1F91D7 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000003.2231070599.000001A98E1F1000.00000020.00000800.00020000.00000000.sdmp, Offset: 000001A98E1F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_3_1a98e1f1000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05058ef15174d643ffe0c8b5abe9ca2c35ce6ff389b30e26f5b6ab59c577414
Instruction ID: 024934fd424de0501e88d18489125dbc8828a27bea494e3277b95d0b85727b18
Opcode Fuzzy Hash: c05058ef15174d643ffe0c8b5abe9ca2c35ce6ff389b30e26f5b6ab59c577414
Instruction Fuzzy Hash: E4D0A93264480C8BEA20A6808C66BE8B3A0FB8A320F540012950EE72C1C669E8A247C2

Analysis Process: firefox.exePID: 7064, Parent PID: 1352COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 000002214D3D65F7 Relevance: 8.4, APIs: 1, Instructions: 6852nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 000002214D3D661C

Memory Dump Source

Source File: 00000011.00000002.3354690672.000002214D3D4000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002214D3D4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2214d3d4000_firefox.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction ID: 0c1ef744df75ac65abf253795174f386a3179be2f9af9a85cf15de9512de66a7
Opcode Fuzzy Hash: a3d4a310f25344abd1978f5247c9d082b9ccbb3eaa73dfa71153365510a96fee
Instruction Fuzzy Hash: E0A3F771614A498BDB2DEF68CC857AA77E5FB95304F04422EE94BC3251DF30EA52CB81

Function 000002214D3C9381 Relevance: .1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3353802211.000002214D3C9000.00000020.00000001.00020000.00000000.sdmp, Offset: 000002214D3C9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_2214d3c9000_firefox.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5df3059afd43259bdede493c10c1f2077a3eae2dcd64889d7f95d130eb26465
Instruction ID: 762dc35e9c51debfbc92f3dc83d5d4045013513d5b84965004c91e2d18f3e548
Opcode Fuzzy Hash: c5df3059afd43259bdede493c10c1f2077a3eae2dcd64889d7f95d130eb26465
Instruction Fuzzy Hash: 9821A57151CB8C4FDB45EF28C844A96BBE0FBAA315F1506AFE08AC3292D734D945C792

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 52.222.236.80 52.222.236.80
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.2365033333.000002BC80B6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2274207160.000002BC8B775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274207160.000002BC8B799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221204760.000002BC8B776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2274207160.000002BC8B775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274207160.000002BC8B799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221204760.000002BC8B776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2361436348.000002BC82CE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2391465991.000002BC82CE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2388008995.000002BC8985D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2388008995.000002BC8985D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2274207160.000002BC8B775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274207160.000002BC8B799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221204760.000002BC8B776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2274207160.000002BC8B775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2274207160.000002BC8B799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221204760.000002BC8B776000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000011.00000002.3348978354.000002214CE0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000011.00000002.3348978354.000002214CE0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000011.00000002.3348978354.000002214CE0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&6 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&6 equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3349785789.000001937450C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/&6 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2384886856.000002BC8B5DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2361436348.000002BC82CE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2355538536.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.2384886856.000002BC8B5DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2221940907.000002BC8B5DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2316637804.000002BC8B5DB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2355538536.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2334630621.000002BC89D48000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.2274207160.000002BC8B775000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2353951561.000002BC8B790000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.2382761322.000002BC8B790000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49890 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.222.236.80:443 -> 192.168.2.5:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.5:49899 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49900 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49901 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50030 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49900

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_99aa29f8-13ee-4408-b8f2-a1297ea5467a.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_99aa29f8-13ee-4408-b8f2-a1297ea5467a.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre